On May 31 2023, the vendor Progress Software released a security advisory about its product, MOVEit Transfer managed file transfer (MFT) software. MOVEit has been used by thousands of organizations in the transfer of sensitive data.
This vulnerability affects all versions of MOVEit Transfer software. The vulnerability also impacts customers who rely on the MOVEit Transfer cloud platform.
The vulnerability is a SQL injection vulnerability that could allow an un-authenticated attacker to gain access to MOVEit Transfer’s database. An attacker may be able to infer information about the structure and contents of the database, in addition to running SQL statements that change or delete database elements.
Threat intelligence organizations have observed scanning activity as early as March 3, and customers using MOVEit are urged to review systems for any indicators of unauthorized access that may have occurred within the last 90 days.
Information about this vulnerability is still new, and we expect more published information over the next few days as this threat is analyzed. It is tracked as CVE-2023-34362. Though it does not have a severity score as of the writing of this bulletin, we consider this to be a critical vulnerability due to possible attacks from unauthenticated Internet-based attackers, the widespread use of this tool, and the sensitivity of the data stored in MOVEit databases.
Patches are available now for all versions of MOVEit software. The vendor urges customers to apply the patches as soon as possible. Until those patches are applied, there are ways to mitigate the risk of an attack:
- Modify firewall rules to deny HTTP (port 80) and HTTPS (port 443) traffic to MOVEit Transfer servers. It is important to note that, until HTTP and HTTPS traffic is enabled again, users will not be able to log on to the MOVEit Transfer web interface; MOVEit Automation tasks that use the native MOVEit Transfer host will not work; REST, Java, and .NET APIs will not work; and the MOVEit Transfer add-in for Outlook will not work. However, the SFTP and FTP protocols will continue to work as normal.
- If it is not possible to deny access for all HTTP/HTTPS traffic, update network firewall rules to allow connections from pre-screened, permitted IP addresses only.
- Reset service account credentials for affected systems, and the MOVEit Service Account.
Check for Indicators of Compromise:
The product vendor recommends a review of access over the last 90 days to confirm the software has not been compromised. To complete the review:
- On the MOVEit Transfer server, look for any new files in C:\MOVEitTransfer\wwwroot , particularly a backdoor file called “human2.aspx”.
- On the MOVEit Transfer server, look for any new files created in C:\Windows\TEMP\
\ and randomly-named subdirectories with the file extension of .cmdline .
- Review the list of user accounts for new, unauthorized users. Progress Software provides a how-to at: https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2022/page/Users.html
- Review logs for unexpected downloads of files from unknown IP addresses, or large numbers of files downloaded. Progress Software provides a how-to on reviewing logs at: https://docs.progress.com/bundle/moveit-transfer-web-admin-help-2022/page/Logs.html
- If the MOVEit installation used the Microsoft Azure SQL database engine, review Azure logs for unauthorized access to Azure Blob Storage Keys and consider rotating potentially affected keys. More information about reviewing Azure storage logs is available at https://learn.microsoft.com/en-us/azure/storage/common/manage-storage-analytics-logs?tabs=azure-portal .
A full list of indicators of compromise, including IP addresses and SHA256 hashes for malicious scripts, are listed at https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 .
- Prior to installing the patches and restoring service, ensure that the MOVEit server has been isolated from HTTP/HTTPS access, and indicators of compromise have been identified and removed.
- Patches for all affected versions are available at: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023 .
- Once patches are deployed, the HTTP/HTTPS firewall rules can be removed.
How can Sedara Help?
Sedara’s vCISOs can provide you ongoing supervision and support to stay updated on the latest security incidents. Our vCISOs are your “cybersecurity sidekick,” helping you improve your overall cybersecurity posture by adopting new security controls and mitigating risk.
Gain visibility across your entire network for real-time analysis and alerting of security events. Sedara’s 24x7x365 SOC can deploy and monitor a Security Information Event Management (SIEM) so that you can ignore the noise and take immediate action on security incidents.
More reading on this threat:
- Progress MOVEit Transfer Critical Vulnerability (May 2023) – https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
- NIST CVE-2023-34362 – https://nvd.nist.gov/vuln/detail/CVE-2023-34362
Want Help With a Security Incident?
Sedara can help your organization assess and address vulnerabilities and provide insight that prevents future incidents.
Get Future Compromise Alerts – Join Sedara Declassified
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do. And of course, if we can help you with anything directly, feel free to reach out.