Cybercriminals are currently taking advantage of a newly discovered security flaw, known as CVE-2023-34362, in the MOVEit Transfer software. This vulnerability allows them to illicitly obtain sensitive data from targeted organizations. MOVEit Transfer, created by Ipswitch and owned by Progress Software Corporation, is a managed file transfer solution used for secure file transfers within enterprises. It supports various protocols like SFTP, SCP, and HTTP-based uploads, and is available as both an on-premise solution and a cloud-based SaaS platform.
“Exploitation of Zero-Day Vulnerability Enables Large-Scale Data Theft”
According to BleepingComputer, a zero-day vulnerability in MOVEit MFT software has been exploited by threat actors to conduct large-scale data theft from various organizations. The exact timing of the attacks and the identities of the threat actors remain unknown. Progress, the developer of MOVEit MFT, has issued a security advisory classifying the vulnerability as “Critical” and providing temporary mitigations until patches can be applied.
The security advisory highlights the potential for unauthorized access and privilege escalation in the MOVEit Transfer environment. Progress advises customers to take immediate action to safeguard their MOVEit Transfer setup. One recommended measure is blocking external traffic to ports 80 and 443 on the MOVEit Transfer server. This blocking will restrict web UI access, affect some MOVEit Automation tasks, block APIs, and disable the Outlook MOVEit Transfer plugin. However, file transfers using SFTP and FTP/s protocols can still be utilized.
Administrators are also instructed to examine the ‘c:\MOVEit Transfer\wwwroot\’ folder for unexpected files, particularly backups or large file downloads. BleepingComputer suggests that such downloads or backups could indicate ongoing data theft by the threat actors.
No specific details about the zero-day vulnerability have been disclosed. However, given the blocked ports and the recommended folder inspection, it is likely that the vulnerability is related to web-facing aspects of the software.
Until an official patch is released for the affected versions, organizations are strongly advised to temporarily shut down MOVEit Transfers. A thorough investigation for potential compromise should be conducted before applying the patch and reactivating the server.
Specifics of the attack
According to cybersecurity firm Rapid7, the flaw in MOVEit Transfer is a SQL injection vulnerability that enables remote code execution. As of now, the vulnerability has not been assigned a CVE identifier. Rapid7’s research indicates that approximately 2,500 exposed MOVEit Transfer servers are at risk, with the majority located in the United States. All exploited devices were found to contain a webshell named ‘human2.asp’ in the c:\MOVEit Transfer\wwwroot\ public HTML folder.
Rapid7 explains that the webshell code verifies if an inbound request contains a specific password-like value in the X-siLock-Comment header. If the header is not populated correctly, a 404 “Not Found” error is returned. When the correct password is provided, the webshell executes various commands based on the values of request headers like ‘X-siLock-Step1’, ‘X-siLock-Step2’, and ‘X-siLock-Step3’. These commands allow threat actors to download information from the MOVEit Transfer’s MySQL server and perform multiple actions:
- Retrieve a list of stored files, including the uploading user’s name and file paths.
- Insert and delete a new MOVEit Transfer user with a randomly generated name (‘Health Check Service’) and create new MySQL sessions.
- Access information about the configured Azure Blob Storage account, such as AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings, potentially facilitating data theft from victim’s Azure Blob Storage containers.
- Download files from the server.
MOVEit Transfer administrators have also reported discovering multiple randomly named App_Web_.dll files, such as App_Web_feevjhtu.dll, after their systems were breached, when there should only be one such file.
The attacks reportedly began during the long US Memorial Day holiday when fewer staff were monitoring systems. Mandiant CTO Charles Carmakal confirmed that their data shows the attacks started on May 27th, and BleepingComputer was informed that mass exploitation and significant data theft occurred over the following days.
According to cybersecurity researcher Kevin Beaumont, the vulnerability also impacted the MOVEit Transfer SaaS platform, potentially enlarging the pool of affected victims.
Progress Software, the company behind MOVEit Transfer, acknowledged the impact on the MOVEit Cloud platform in a statement shared with BleepingComputer. They took immediate action, including temporarily shutting down MOVEit Cloud, to ensure customer safety while assessing the severity of the situation. Progress Software promptly notified customers, providing instructions for immediate actions and subsequently releasing a patch. Mitigation steps for on-premises installations and cloud-based deployments were provided for affected users.
There is currently no evidence of extortion taking place
Although Progress has not explicitly confirmed ongoing exploitation of the vulnerability, BleepingComputer has received reports of several organizations falling victim to data theft through the zero-day flaw.
As of now, the threat actors responsible for the attacks have not initiated any extortion activities, making it difficult to determine their identity.
However, the nature of the exploitation bears resemblance to previous incidents, such as the mass exploitation of a GoAnywhere MFT zero-day in January 2023 and the December 2020 exploitation of Accellion FTA servers. These cases involved the Clop ransomware gang leveraging managed file transfer platforms to steal data and extort organizations.