THREAT ALERT

MOVEit Critical Transfer Vulnerability

Friday, July 7th, 2023

VIEW ALL THREAT ALERTS

Cyber security risk management solutions from DefenseStorm.

Earlier in June DefenseStorm became aware of a  vulnerability disclosure involving MOVEit and posted an article.  The casualty list for this vulnerability is growing by the day largely due to exploitation by the Clop Ransomware gang of unpatched instances.

This is an update and reminder to please stay updated on patching and patch for the MOVEit vulnerabilities as soon as possible.

July 9, 2023

Earlier in June DefenseStorm became aware of a  vulnerability disclosure involving MOVEit and posted an article about it in this forum.  The casualty list for this vulnerability is growing by the day largely due to exploitation by the Clop Ransomware gang of unpatched instances.  This is an update and reminder to please stay up to date on patching, and if you haven’t patched for the MOVEit vulnerabilities, please do so as soon as possible.

Information relating to MOVEit and its disclosed vulnerabilities can be found on the Progress Security Page and refer to it to ensure you have all of the latest updates and details on patching and mitigation steps.   

DefenseStorm Response

DefenseStorm has already identified and has been uploading numerous IOCs related to this vulnerability into its ThreatMatch Feed and has continued to do so since the original post. We are still investigating additional IOCs/IOAs that are related to this incident and will upload any discovered accordingly.

Please bookmark the Progress Security Page and check it regularly to stay updated with available patches and mitigation steps.  

June 5, 2023

Is DefenseStorm Impacted?

DefenseStorm itself is not impacted by this vulnerability we are currently investigating any IOCs or IOAs that are related to this incident and will upload any discovered accordingly.

Our recommendation is to patch and follow the guidance provided by hxxps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023.

In addition, when searching for files or other IOC/IOAs, it is strongly encouraged to search for those indicators on potentially impacted servers themselves and not just through GRID Active logging.

June 2,  2023

DefenseStorm is aware of a recent vulnerability disclosure involving MOVEit. Please see the below information obtained from: hxxps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023.

Issue

SQL Injection (CVE Pending – Submitted to MITRE)
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.

Affects

All MOVEit Transfer versions are affected by this vulnerability. See the table below for the security patch for each supported version.

Recommended Remediation

To help prevent the successful exploitation of the mentioned SQLi vulnerability to your MOVEit Transfer environment, we strongly recommend that you immediately apply the following mitigation measures per the steps below.

  1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment

More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.

It is important to note that until HTTP and HTTPS traffic is enabled again: 

  •   Users will not be able to log on to the MOVEit Transfer web UI
  •   MOVEit Automation tasks that use the native MOVEit Transfer host will not work
  •  REST, Java and .NET APIs will not work
  •  MOVEit Transfer add-in for Outlook will not work

Please note: SFTP and FTP/s protocols will continue to work as normal 

Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing hxxps://localhost/.  For more information on localhost connections, please refer to MOVEit Transfer Help.

  1. Review, Delete and Reset
  • Delete Unauthorized Files and User Accounts
    • Delete any instances of the human2.aspx and .cmdline script files.
    • On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
    • On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
    • Remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
    • Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs guide.
  • Reset Credentials
    • Reset service account credentials for affected systems and MOVEit Service Account
  1. Apply the Patch

Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link: hxxps://community.progress.com/s/products/moveit/product-lifecycle. Please note, the license file can remain the same to apply the patch.

Affected Version Fixed Version Documentation
MOVEit Transfer 2023.0.0 MOVEit Transfer 2023.0.1 MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.x MOVEit Transfer 2022.1.5 MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.x MOVEit Transfer 2022.0.4
MOVEit Transfer 2021.1.x MOVEit Transfer 2021.1.4 MOVEit 2021 Upgrade Documentation
MOVEit Transfer 2021.0.x MOVEit Transfer 2021.0.6

 

  1. Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment
  2. Verification
  • To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again. If you do find indicators of compromise, you should reset the service account credentials again.
  1. Continuous Monitoring
  • Monitor network, endpoints, and logs for IoCs (Indicators of Compromise) as listed in the table below.
  1.  Bookmark
  • Bookmark the Progress Security Page and refer to it to ensure you have all of the latest updates

Additional Security Best Practices
If you are unable to follow the recommended mitigation steps above, we strongly suggest taking the below security steps to help reduce risk to your MOVEit Transfer environment from unauthorized access. It’s important to note, that these are not considered mitigation steps to the mentioned vulnerability.

Please see here for MOVEit Security Best Practices.

  • Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
  • Review and remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
  • Update remote access policies to only allow inbound connections from known and trusted IP addresses. For more information on restricting remote access, please refer to SysAdmin Remote Access Rules and Security Policies Remote Access guide.
  • Allow inbound access only from trusted entities (e.g., using certificate-based access control).
  • Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user’s account password is lost, stolen, or compromised. To enable MFA, please refer to the MOVEit Transfer Multi-factor Authentication Documentation.

DefenseStorm Response

DefenseStorm has already identified and uploaded numerous IOCs related to this vulnerability into its ThreatMatch Feed. We are currently investigating additional IOCs/IOAs that are related to this incident and will upload any discovered accordingly. 

Additional sources:

  1. hxxps://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability
  2. hxxps://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023.
James Bruhl

James Bruhl

Director of Cyber Threat Intelligence

James Bruhl is the Director of Cyber Threat Intelligence for DefenseStorm. He joined the company with 15 years of experience as a law enforcement officer, bringing extensive experience in crime prevention, evidence collection, investigative techniques, and crisis management. Driven by a passion for technological advancements and the ever-evolving landscape of digital threats, he transitioned to the field of digital forensics, incident response, and cybersecurity. In his role, he honed his skills in analyzing digital evidence, identifying cyber threats, and implementing robust security measures specializing in forensic examinations on various devices to uncover critical information and support investigations. James began at DefenseStorm as a security engineer in 2020 and developed DefenseStorm’s EDR Service. He was then appointed as Director of Cyber Threat Intelligence in 2022 and is responsible for nearly all facets of the EDR service. During his cyber career, James has been instrumental in proactively detecting and responding to cyber incidents and plays a vital role in incident response teams, coordination efforts to mitigate the impact of breaches, vulnerability identification, and strategy implementation to prevent future attacks. He continues to share his expertise by conducting training sessions, participating in conferences, and writing articles on topics related to digital forensics, incident response, and cybersecurity. James holds a bachelor’s in criminal justice from the University of North Georgia and a GCFE certification.