MOVEit Transfer zero-day attacks: The latest info

There’s new information about the zero-day vulnerability in Progress Software’s MOVEit Transfer solution exploited by attackers and – more importantly – patches and helpful instructions for customers.

The MOVEit Transfer zero-day and updated mitigation and remediation advice

Progress Software has updated the security advisory and confirmed that the vulnerability (still without a CVE number) is a SQL injection vulnerability in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” they explained.

All MOVEit Transfer versions are affected by the flaw.

The advisory also contains links to fixed versions, indicators of compromise (IoCs) – scripts, webshells, C2 IP addresses, user accounts – and more extensive clean-up advice, which includes:

• Disabling all HTTP and HTTPs traffic to the MOVEit Transfer environment
• Deleting unauthorized files and user accounts and resetting credentials
• Applying the patch/updating the installation to a fixed version
• Enabling all HTTP and HTTPs traffic to the MOVEit Transfer environment
• Checking that the files have been successfully deleted and no unauthorized accounts remain – if they haven’t been, do the clean-up and reset the service account credentials again
• If the clean-up has been successful, organizations should monitor network, endpoints, and logs for IoCs

Researchers from Huntress, TrustedSec, and Rapid7 have analyzed the webshell/backdoor, released YARA signatures and SIGMA rules defenders can use to detect IoCs and hunt for suspicious files, and have shared more technical information about the attacks.

This Reddit thread is also a good source of most recent info and tidbits, some of it seemingly provided by anonymous sysadmins and security pros at some of the compromised organizations.

The fallout

It’s still unknown how many organizations have been hit, but Rapid7 says that its managed services teams are observing exploitation of the flaw across multiple customer environments.

“Huntress has identified less than ten organizations with this MOVEit Transfer software in our partner base, however, Shodan suggests that there are over 2,500 servers publicly available on the open Internet. From our few organizations, only one has seen a full attack chain and all the matching indicators of compromise,” shared John Hammond, threat hunter and researcher at Huntress.

The majority of the internet-facing servers are located in the US.

Security researcher Kevin Beaumont says that “webshells started being planted a few weeks ago” and that he has been told of “multiple incidents running at multiple orgs during that timeframe who detected activity.”

So it seems that while the detected data exfiltration happened during the Memorial Day weekend, preparations were underway for weeks (if not months).

Beaumont also says that he was “reliably told” this incident also impacted the MOVEit SaaS offering (MOVEit Cloud), which Progress Software took down.

So far, there haven’t been reports of the attackers demanding money from affected organizations to get the stolen information back.