On May 31, 2023, Progress Software released a security bulletin about a critical vulnerability in MOVEit Transfer.
The security bulletin states:
“a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.“
This means the vulnerability could lead to an attacker gaining escalated privileges and unauthorized access to the environment.
MOVEit Transfer is a widely used file transfer software which encrypts files and uses secure File Transfer Protocols to transfer data. As such it has a large userbase in the healthcare industry and many others. Progress advertises MOVEit as the leading secure Managed File Transfer (MFT) software used by thousands of organizations around the world to provide complete visibility and control over file transfer activities.
To give you an idea of the possible impact, a Shodan search query for exposed MOVEit Transfer instances yielded over 2,500 results, most of which belong to US customers.
Several researchers have observed that this vulnerability is being exploited in the wild. BleepingComputer says it has information that cybercriminals have been exploiting the zero-day in the MOVEit MFT software to perform massive data downloads from organizations.
The method used to compromise systems is to drop a webshell in the wwwroot folder of the MOVEit install directory. This allows the attacker to obtain a list of all folders, files, and users within MOVEit, download any file within MOVEit, and insert an administrative backdoor user into, giving attackers an active session to allow credential bypass
The Cybersecurity and Infrastructure Agency (CISA) is urging users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.
Several researchers have provided methods to make the hunt easy. These are the ones I could find:
- MoveIT-WebShellCheck a Python script by ZephrFish
- Sigma rule by Florian Roth
- Yara rule by Florian Roth
- Sigma rule by tsale
Note: A Sigma rule is a generic and open YAML-based signature format that enables a security operations team to describe relevant log events in a flexible and standardized format. YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics.
All MOVEit Transfer versions are affected by this vulnerability. See the table below for the security patch for each supported version.
The method recommended by Progress is to:
1. Disable web traffic
Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied. It is important to note, that until HTTP and HTTPS traffic is enabled again:
- Users will not be able to log on to the MOVEit Transfer web UI
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work
- REST, Java and .NET APIs will not work
- MOVEit Transfer add-in for Outlook will not work
- SFTP and FTP/s protocols will continue to work as normal
- Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.
2. Review, Delete and Reset
- Delete unauthorized files and user accounts
- Delete any instances of the human2.aspx and .cmdline script files.
- On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory, and for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
- Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.
- Reset Credentials
- Reset service account credentials for affected systems and MOVEit Service Account
3. Apply the Patch
Patches for all supported MOVEit Transfer versions are linked below. Please note, the license file can remain the same to apply the patch.
MOVEit Transfer 2023.0.0
MOVEit Transfer 2022.1.x
MOVEit Transfer 2022.0.x
MOVEit Transfer 2021.1.x
MOVEit Transfer 2021.0.x
4. Enable we traffic, verify, monitor
Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment. Then confirm the files have been successfully deleted and no unauthorized accounts remain by following follow the steps under "Review, Delete and Reset" again. If you do find indicators of compromise, you should reset the service account credentials again. Monitor network, endpoints, and logs for IoCs (Indicators of Compromise).
Malwarebytes blocks traffic to five malicious IP addresses—220.127.116.11, 18.104.22.168, 22.214.171.124/24, 126.96.36.199, 188.8.131.52—that were found to look for vulnerable systems, and detects the malicious C:\MOVEitTransfer\wwwroot\human2.aspx as Exploit.Silock.MOVEit.
Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.