Flash Alert – Critical vulnerability in MOVEit Transfer
By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence
We have been made aware of a critical, zero-day vulnerability in MOVEit Transfer which is being actively targeted by threat actors to facilitate data theft.
MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch. It allows the users to securely transfer files between consumers and partners using SFTP, SCP, and HTTP-based uploads.
The exploit, as yet unassigned a CVE, is being utilised by as-yet-unknown threat actors to facilitate mass downloads of victim company data.
Ipswitch’s parent company Progress Software Corporation have released mitigation advice here, but as of writing, no patches have been released. We recommend taking necessary precautions to safeguard data until suitable patches have been released.
Key recommendations have been to block traffic across HTTP ports (80 and 443). This would have the effect of inhibiting certain functions of MOVEit, however, (S)FTP protocols can remain in use for file transfers. This would seemingly indicate the vulnerability to be web-facing. It is further recommended to monitor the “c:\MOVEit Transfer\wwwroot\” folder for indications of unexpected files, backups or downloads.
Rapid7 has identified the flaw as an SQL injection vulnerability, leading to remote code execution. By querying the web shell within exposed MOVEit Transfer servers, and providing the necessary, password-like data within the headers, attackers can leverage access to the services MySQL servers. This would allow access to perform various actions, such as:
- Retrieve a list of stored files and relevant metadata
- Create and remove randomly-named MOVEit Transfer users with the login name ‘Health Check Service’ and create new MySQL sessions.
- Retrieve information about the configured Azure Blob Storage account, including various settings. This can then be leveraged to steal data directly from Azure Blob Storage containers.
- Download files from the server
Industry reporting has suggested that this incident began on or around 27 May 2023, to coincide with lax monitoring over the US’s Memorial Day weekend.
IOCs
138.197.152[.]201
209.97.137[.]33
5.252.191[.]0/24
148.113.152[.]144 (reported by the community)
89.39.105[.]108
App_Web_<random>.dll (Normally, there will be one of these files. Presence of more would indicate a breach)