Flash Alert – Critical vulnerability in MOVEit Transfer

June 2, 2023

Flash Alert – Critical vulnerability in MOVEit Transfer

By Daniel Collyer, Threat Intelligence Analyst, SOS Intelligence

We have been made aware of a critical, zero-day vulnerability in MOVEit Transfer which is being actively targeted by threat actors to facilitate data theft.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch. It allows the users to securely transfer files between consumers and partners using SFTP, SCP, and HTTP-based uploads.

The exploit, as yet unassigned a CVE, is being utilised by as-yet-unknown threat actors to facilitate mass downloads of victim company data.

Ipswitch’s parent company Progress Software Corporation have released mitigation advice here, but as of writing, no patches have been released. We recommend taking necessary precautions to safeguard data until suitable patches have been released.

Key recommendations have been to block traffic across HTTP ports (80 and 443). This would have the effect of inhibiting certain functions of MOVEit, however, (S)FTP protocols can remain in use for file transfers. This would seemingly indicate the vulnerability to be web-facing. It is further recommended to monitor the “c:\MOVEit Transfer\wwwroot\” folder for indications of unexpected files, backups or downloads.

Rapid7 has identified the flaw as an SQL injection vulnerability, leading to remote code execution. By querying the web shell within exposed MOVEit Transfer servers, and providing the necessary, password-like data within the headers, attackers can leverage access to the services MySQL servers. This would allow access to perform various actions, such as:

Retrieve a list of stored files and relevant metadata
Create and remove randomly-named MOVEit Transfer users with the login name ‘Health Check Service’ and create new MySQL sessions.
Retrieve information about the configured Azure Blob Storage account, including various settings. This can then be leveraged to steal data directly from Azure Blob Storage containers.
Download files from the server

Industry reporting has suggested that this incident began on or around 27 May 2023, to coincide with lax monitoring over the US’s Memorial Day weekend.

IOCs

138.197.152[.]201

209.97.137[.]33

5.252.191[.]0/24

148.113.152[.]144 (reported by the community)

89.39.105[.]108

App_Web_<random>.dll (Normally, there will be one of these files. Presence of more would indicate a breach)

The SOS Intelligence CVE Chatter Weekly Top Ten – 05 June 2023

Join us for our next SOS Intelligence webinar on Understanding Third-Party Risk for Cybersecurity

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.