Flash Notice: SECOND UPDATE - Critical MOVEit File Transfer Zero-Day Vulnerability Exploited by Attackers

UPDATE 6/16/2023 - Last night, Progress published an advisory notifying users of another critical MOVEit Transfer vulnerability tracked as CVE-2023-35708. According to Progress, the SQL injection vulnerability could lead to escalated privileges and potential unauthorized access to the MOVEit Transfer database.   

CVE-2023-35708 could allow an attacker to submit a crafted payload to a MOVEit Transfer application endpoint which could modify and disclose MOVEit database content. MOVEit Transfer versions released before the following are vulnerable:  

• 2021.0.8 (13.0.8) 
• 2021.1.6 (13.1.6) 
• 2022.0.6 (14.0.6)  
• 2022.1.7 (14.1.7)  
• 2023.0.3 (15.0.3) 

It’s important to note that several U.S. federal agencies have been breached via MOVEit vulnerabilities. On the heels of these attacks, the Cybersecurity and Infrastructure Security Agency (CISA) has ordered all federal agencies to restrict access to Internet exposed networking equipment. Progress highly recommends that users apply the below mitigation steps to prevent unauthorized access to their MOVEit Transfer environments.  

AVERTIUM'S RECOMMENDATIONS

Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.  More specifically:   

• Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.  
• It is important to note that until HTTP and HTTPS traffic is enabled again:   
  • Users will not be able to log on to the MOVEit Transfer web UI.    
  • MOVEit Automation tasks that use the native MOVEit Transfer host will not work.   
  • REST, Java, and .NET APIs will not work.   
  • MOVEit Transfer add-in for Outlook will not work.   
• SFTP and FTP/s protocols will continue to work as normal. 
• Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment. 
• As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/
• As patches for CVE-2023-35708 become available, guidance will be provided at the link below: 
  • Patch Guidance 
• Supported versions are listed at the link below: 
• Supported versions  
• The latest MOVEit Transfer and MOVEit Cloud vulnerability updates can be found at the link below:  
• Latest news from Progress  

UPDATE 6/9/2023 - Last week, Avertium published a Flash Notice warning of a SQL injection vulnerability found in Progress Software’s MOVEit Transfer managed file transfer solution (MFT). At the time, the vulnerability did not have a CVE number, that has since changed. The vulnerability, now tracked as CVE-2023-34362, was given a patch and organizations were advised to apply the patch as soon as possible. We have also learned that Clop ransomware has leveraged CVE-2023-34362, attacking several organizations. Those organizations include the UK based payroll provider Zellis. Some of the company’s customers include the Minnesota Department of Education and British Airways.  

This week, while Progress and their third-party security experts were investigating the original MOVEit vulnerability, they uncovered new critical SQL injection vulnerabilities in MOVEit Transfer MFT. These vulnerabilities allow attackers to steal information from customer databases. The vulnerabilities, discovered by Huntress, do not have CVE numbers assigned to them. However, they affect all versions of MOVEit Transfer. If an attacker successfully exploits these vulnerabilities, they can compromise Internet-exposed servers and manipulate or extract customer information without authentication. 

According to Progress’s advisory, an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content. Progress has provided patches for the vulnerabilities, which are available for all supported versions. Although the vulnerabilities have not been exploited in the wild, it is highly recommended that you apply the patches as soon as possible. Also, if you have not already done so, please apply the patches for CVE-2023-34362 as well.  

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with the new MOVEit vulnerabilities. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

avertium's recommendationS

• MOVEit Transfer 2023.0.x (15.0.x) 
• MOVEit Transfer 2022.1.x (14.1.x) 
• MOVEit Transfer 2022.0.x (14.0.x) 
• MOVEit Transfer 2021.1.x (13.1.x) 
• MOVEit Transfer 2021.0.x (13.0.x) 
• MOVEit Transfer 2020.1.x (12.1) 
  • This has a special patch. Please see the following documentation.  
• MOVEit Transfer 2020.0.x (12.0) or older. 
  • You must upgrade to a supported version. Please see the following documentation. 
    
    

overview

This week, Progress Software’s managed file transfer solution MOVEit Transfer is actively being exploited by attackers to steal corporate data. While the SQL injection vulnerability does not have an official CVE number, Progress released a security advisory stating that vulnerability is critical, and it could lead to escalated privileges and potential unauthorized access to the environment. The researchers at Mandiant stated that “mass exploitation and broad data theft has occurred over the past few days.”

Patches have officially been released and Progress Software has issued mitigations to prevent further exploitation. Progress Software also stated that they are upgrading the MOVEit Cloud clusters for customers. The company recommends that admins block external traffic to ports 80 and 443 on the MOVEit server. Progress Software stated that blocking these ports will prevent external access to the web UI, stop some MOVEit Automation tasks from working, block APIs, and stop the Outlook MOVEit plugin from working. Admins are also advised to thoroughly inspect the 'c:\MOVEit Transfer\wwwroot' folder for any suspicious files, such as backups or substantial file downloads.

Also, considering the blocked ports and the very specific location to check for unusual files, it is likely that the vulnerability is web facing. The MOVEit Transfer vulnerability is similar to another zero-day (GoAnywhere/CVE-2023-0669) exploited by the Clop ransomware group in January 2023. This vulnerability allowed the threat actors to exfiltrate data and extort organizations.

It is highly recommended that organizations shut down all MOVEit Transfers and investigate to identify potential compromises before applying a patch (when it becomes available) and bringing the server back online.

avertium's recommendationS

Progress recommends the following mitigation steps to prevent unauthorized access to your MOVEit Transfer environment:

• Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
  • More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
    • Users will not be able to log on to the MOVEit Transfer web UI
    • MOVEit Automation tasks that use the native MOVEit Transfer host will not work
    • REST, Java and .NET APIs will not work
    • MOVEit Transfer add-in for Outlook will not work
      It is important to note, that until HTTP and HTTPS traffic is enabled again:
• Review, Delete and Reset
  • Delete Unauthorized Files and User Accounts
    • Delete any instances of the human2.aspx and .cmdline script files.
    • On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
    • On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
    • Remove any unauthorized user accounts. See Progress MOVEit Users Documentation
  • Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs
  • Reset Credentials
    • Reset service account credentials for affected systems and MOVEit Service Account
• Apply the Patch
  • Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle.
  • Please note, the license file can remain the same to apply the patch.

• Verification
  • To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2A again. If you do find indicators of compromise, you should reset the service account credentials again.

INDICATORS OF COMPROMISE (IoCs)

• Creation of unexpected files in the c:\MOVEit Transfer\wwwroot\ folder on all your MOVEit Transfer instances (including back-ups).
• Unexpected and/or large file downloads.

IP Addresses

• 138.197[.]152[.]201
• 209.97[.]137[.]33
• 5.252[.]191[.]0/24
• 148.113[.]152[.]144 (reported by the community)
• 89.39[.]105[.]108

HTTP POST

• POST /moveitisapi/moveitisapi.dll
• POST /guestaccess.aspx
• POST /api/v1/folders/[random]/files

SHA256 Hashes

• 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
• 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
• 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
• 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59
• 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166
• 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8
• a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986
• b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03
• cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621
• ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c
• 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
• 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
• 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
• 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59
• 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166
• 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8
• a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986
• b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03
• cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621
• ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c

File Names

• aspx
• aspx.lnk

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
• Avertium offers Vulnerability Management VM to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.

SUPPORTING DOCUMENTATION