The MOVEit Transfer vulnerability.
the cyberwire logoJun 3, 2023

Progress Software addresses a vulnerability in its MOVEit Transfer software.

The MOVEit Transfer vulnerability.

Progress Software on Wednesday disclosed a critical vulnerability in its MOVEit Transfer managed file transfer software. Researchers at Rapid7 say they’ve observed exploitation of the vulnerability before it was disclosed, and these attacks have increased since its disclosure. The researchers note, “Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation.” BleepingComputer reports that attackers are exploiting the vulnerability “to perform mass downloading of data from organizations.” Reuters quotes Mandiant’s Chief Technology Officer as stating that “Mass exploitation and broad data theft has occurred over the past few days.”

Rapid7 adds, “The MOVEit Transfer advisory has contradictory wording on patch availability, but as of June 1, it does appear that fixed versions of the software are available. Patches should be applied on an emergency basis.”

Progress stated, “[an] SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. All MOVEit Transfer versions are affected by this vulnerability.”

The scope of the MOVEit problem.

Charles Carmakal, of Mandiant, described what his company is seeing. "Mandiant is currently investigating several intrusions related to the exploitation of the MOVEit managed file transfer zero-day vulnerability. Mass exploitation and broad data theft has occurred over the past few days.” Carmakal points out that patching isn’t the end of a proper response to the vulnerability. “In addition to patching their systems, any organization using MOVEit should forensically examine the system to determine if it was already compromised and if data was stolen. Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data. Mass exploitation of zero-day vulnerabilities with other managed file transfer solutions have resulted in data theft, extortion, publication of stolen data, and victim shaming."

Jacob Garrison, Security Researcher at Bionic, explained the vulnerability as analogous to a zero-day in an widely used product. “The MOVEit Transfer security flaw involves one company’s proprietary file transfer protocol,” Garrison wrote. “This incident is similar to a zero-day vulnerability being found in Apple or Microsoft’s software, where organizations have to wait for the vendor to fix it and must shut down their MOVEit servers in the meantime.” 

The upside to the incident, insofar as there is one, is the relatively limited scope of servers affected. Garrison says,“Fortunately, it appears to be affecting only 2,500 servers in the U.S., which is a relatively tiny figure. On a technical level, this appears to be a SQL injection vulnerability in the Web UI that allows bad actors to run any query they want to get access to and alter any data — including sensitive ones. The immediate remediation seems to be to block the HTTP and HTTPS ports (80 and 443) to block off the web UI to the public. In the future, companies can proactively prevent similar incidents by identifying as soon as possible whether an application contains sensitive data, is internet-facing, and runs the most up-to-date security anti-pattern scanning, including CVEs.”

Recommended remediations and defenses against MOVEit exploitation.

Paul Laudanski, Director of Security Research, Onapsis, wrote about how webshells are used in exploitation of such vulnerabilities. "I've worked a lot of cases like this with businesses, where they have an application that leads to someone dropping a webshell,” Laudanski wrote. “And that webshell is used to drop advanced malware threats and exfiltration of data. The webshell is often times used to recon the system and exfil further data, open internal connections, etc. It is critical to have a purposed engineered solution for business-critical applications.”

He recommends web application firewalls as a preventive measure. “Web application firewalls (WAFs) are purpose-engineered security tools that look for these types of attacks including SQL injection attacks. So even though this CVE may not yet be published, the attack is a common OWASP TOP 10 awareness security risk. WAFs are great at looking out for these attacks. Organizations often think since their SAP systems are behind firewalls they are safe from attacks. However, once the attacker has gained that first point of access they can then pivot and go after the most lucrative targets, which includes their SAP systems holding critical business data and running critical business processes. It is important for businesses to ensure they have WAFs in place at the edge to watch for common OWASP top 10 risks, and at the same time important to log and monitor for these types of attacks."

Dan Mayer, Threat Researcher at Stairwell, described the potential for remote code execution: “The vulnerability being exploited in MOVEit’s software allows for remote code execution (RCE) in a potentially privileged context by allowing a remote threat actor to write a C# web shell into the directory c:\MOVEit Transfer\wwwroot\, enabling them to remotely access the exploited system and execute commands on it. As of right now, this has been abused for siphoning data from compromised organizations, but can also be a foothold into these organizations from which threat actors can pivot and accomplish other actions on objectives. The motives of the actors already exploiting this vulnerability are currently unclear. Stealing data from file repositories is the bread and butter of data extortion actors, but state-sponsored actors such as Chinese threat actors have also been observed mass-exploiting web server vulnerabilities by installing web shells."I recommend following Progress Software’s guidance of blocking HTTP and HTTPS traffic and isolating any host that you believe has already been compromised from the rest of your internal network. Utilize publicly available information to hunt for indicators of compromise (IOCs) on the MOVEit server and within your environment. YARA rules for the known web shell deployed in the first wave of exploitation are publicly available. As stated in Progress Software’s guidance, inspect c:\MOVEit Transfer\wwwroot\ for unknown files.

Mayer added, "To go a step further, utilize tools that enable you to continuously ingest threat reports and YARA rules and hunt within your environment for new indicators of compromise as more information comes out about this developing threat. Also, timeline the system to determine what files on the machine, if any, were written within the last 72 hours.”