Critical zero-day vulnerability in MOVEit Transfer exploited by attackers!
UPDATE (June 2, 2023, 05:55 a.m. ET): Check out our update on this evolving situation.
A critical zero-day vulnerability in Progress Software’s enterprise managed file transfer solution MOVEit Transfer is being exploited by attackers to grab corporate data.
“[The vulnerability] could lead to escalated privileges and potential unauthorized access to the environment,” the company warned on Wednesday, and advised customers to take action to protect their MOVEit Transfer environment, “while our team produces a patch.”
The alert also tells them to check for indicators of unauthorized access over at least the past 30 days, so it’s likely the company has still not pinpointed when the first exploitations began.
What is happening?
“A bunch of people have alerted me to a vulnerability in MoveIT, a secure file transfer app used heavily in the UK. I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups,” says security researcher Kevin Beaumont.
According to cybersecurity specialist Daniel Card (and Shodan), there seem to be over 2,500 MOVEit Transfer servers discoverable on the internet, mostly in the US.
MOVEit Transfer vulnerability: What can you do?
Progress Software advised users to temporarily disable all HTTP and HTTPS traffic to their MOVEit Transfer environment, and to upgrade to one of the fixed versions:
- MOVEit Transfer 2023.0.1
- MOVEit Transfer 2022.1.5
- MOVEit Transfer 2022.0.4
- MOVEit Transfer 2021.1.4
- MOVEit Transfer 2021.0.6
They also advised customers to check whether unexpected files have been created in the c:\MOVEit Transfer\wwwroot\ folder on all their MOVEit Transfer instances, and whether unexpected or large file downloads have been performed.
Beaumont, who apparently has more up-to-date information on the actual attacks, advises organizations who run instances to disconnect them from their internal network, check for newly created or altered .asp* files, and to save a copy of all IIS logs and network data volume logs.
“Webshells have been getting dropped,” he shared.
One commenter on Reddit says that their employer was affected over the Memorial Day weekend and that a ton of files were copied from their MoveIt sites, and others are advising defenders on specific indicators of compromise to look for.
Even though Progress Software says that the company has discovered the vulnerability, it seems that they discovered it only after they detected it being actively exploited, which makes it a zero-day flaw.
If this is confirmed, it will be the second instance of a zero-day in an enterprise managed file transfer tool being exploited by attackers this year – the first was CVE-2023-0669, a remote code execution vulnerability in Fortra’s GoAnywhere solution, leveraged by the Cl0p ransomware gang.