An unnamed vulnerability in MOVEit Transfer has been exploited in the wild and is expected to have caused data breaches.
MOVEit Transfer is a popular file transfer tool marketed by software maker Progress, formerly Ipswitch. The zero-day vulnerability has not been assigned a CVE at the time of publishing.
Responding to a query by The Cyber Express, the company stated that they could not disclose information about our MOVEit Transfer and MOVEit Cloud customers.
However, they confirmed that they took immediate measures to protect customer environments that included providing instructions for immediate mitigation, followed by the release of a patch to all MOVEit Transfer customers within 48 hours of identifying the vulnerability.
Zero-day vulnerability in MOVEit Transfer
MOVEit allows organizations to securely transfer files between parties using SFTP–, SCP–, and HTTP–based uploads.
The vulnerability in MOVEit Transfer could be exploited to gain escalated- privileges and unauthorized access to the environment, according to the company.
The vulnerability is an SQL injection one in the MOVEit Transfer web application that could allow access to its database.
A hacker may also gain information about the structure and contents of the database based on the database engine they use. Namely, MySQL, Microsoft SQL Server, or Azure SQL Server. They may delete the database by executing SQL statements.
“Active exploitation of this vulnerability has been observed in the wild, which could lead to escalated privileges and potential unauthorized access to an environment,” said a threat analysis report by cybersecurity company Reliaquest.
“ReliaQuest observed exploitation of this vulnerability since at least May 27, 2023.”
Impact of the zero-day vulnerability in MOVEit Transfer
According to the company, no version of MOVEit Transfer remains unaffected by this vulnerability. Users are urged to upgrade to the fixed versions.
Mass downloading of data from several organizations has been performed by exploiting the flaw in MOVEit Transfer, according to reports. There is no clarity about the time and which cybercriminal group is compromising devices.
While a patch is being prepared, the company has urged its customers worldwide to look out for these indicators of compromise.
Indicators of compromise
| Indicator | Type | Context |
| C:\Windows\TEMP\[random]\[random].cmdline | Folder Path | Script that is executed to create the human2.aspx file. The folder path and filename are randomized. |
| human2.aspx | Filename | Webshell used during exploitation. |
| human2.aspx.lnk | Filename | Webshell used during exploitation. |
| POST /moveitisapi/moveitisapi.dll | HTTP POST | |
| POST /guestaccess.aspx | HTTP POST | |
| POST /api/v1/folders/[random]/files | HTTP POST | |
| 5.252.189.0/24 | CIDR | Attacker command and control |
| 5.252.190.0/24 | CIDR | Attacker command and control |
| 5.252.191.0/24 | CIDR | Attacker command and control |
| 198.27.75.110 | IPv4 | Attacker command and control |
| 209.222.103.170 | IPv4 | Attacker command and control |
| 84.234.96.104 | IPv4 | Attacker command and control |
| Health Check Service | User Display Name | Webshell creates a MOVEit Transfer user account session with the display name ‘Health Check Service’. |
| 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
If you do notice any of the indicators noted above, please immediately contact your security and IT teams and open a ticket with Progress Technical Support,” warned the company.
Mitigation and best practices to defend against exploitation
The parent company of MOVEit Transfer, Progress suggested some best practices to deter and report threat arising from the exploitation of the zero-day vulnerability in MOVEit Transfer. The issue was addressed by the company on May 31, 2023 and the following mitigation steps were offered:
- Disable all HTTP and HTTPs traffic to MOVEit Transfer. To do this, users may modify firewall rules to deny the said traffic to MOVEit on ports 80 and 443. This can be changed back after the patch has been updated.
- As a result of this step, users will not be able to log on to the MOVEit web UI, nor will MOVEit Automation tasks will functional.
- MOVEit Transfer add-in for Outlook will also not be working nor be REST, Java and .NET APIs.
- Review, and delete unauthorized files and user accounts they find. Delete instances of human2.aspx and .cmdline script files. Review logs for other downloads especially from unknown IPs. Reset service account login credentials for MOVEit.
- Apply patches for all MOVEit Transfer versions that are made available. The license file is the same for patching.
- Admins are urged to monitor networks, endpoints, and logs for Indicators of Compromise.
Popularity of file transfer tools like MOVEit make vulnerabilities in them highly risky for global organizations.
A vulnerability in managed file transfer (MFT) software GoAnywhere, which serves more than 3,000 organizations across the world, opened the biggest stream of ransomware attacks in Q1, 2023.
Cl0p ransomware had a field day exploiting a Fortra GoAnywhere MFT RCE vulnerability CVE-2023-0669. From global corporations such as Hitachi and P&G to city administrations and state governments, the ransomware hit targets across the world.
