MOVEit

Hackers Exploit Zero-Day Vulnerability in MOVEit Transfer Software

MOVEit Transfer, developed by Ipswitch, is a popular solution for securely transferring files using protocols like SFTP, SCP, and HTTP.

However, recently hackers have managed to get through the security by taking advantage of a zero-day vulnerability known as CVE-2023-34362.

According to the reports, the exact timing and the perpetrators behind the attacks remain unknown.

But one thing is known for sure, numerous organizations got their valuable data stolen with the attack.

Looking Into Details

Progress Software, in its security advisory, describes the vulnerability as “Critical” and emphasizes the need for swift action to protect the MOVEit Transfer environment.

Rapid7 reports 2,500 vulnerable MOVEit Transfer servers, the majority of which are in the United States.

All compromised devices analyzed so far have been found to contain “a webshell named ‘human2.asp,’ residing in the c:\MOVEit Transfer\wwwroot\ public HTML folder.”

Webshell installed on MOVEit
Webshell installed on MOVEit (Souce: Bleeping Computer)

The exploitation technique reportedly involves SQL injection, leading to remote code execution and potential data theft.

Implications

Threat actors exploiting the zero-day vulnerability in MOVEit Transfer software can execute commands that enable them to carry out various actions.

They can retrieve a comprehensive list of stored files, along with the usernames of those who uploaded them and their file paths.

The threat actors can also extract information about the configured Azure Blob Storage account.

With this, attackers can instantly steal data from the victims’ Azure Blob Storage containers.

Furthermore, the threat actors have the capability to download files from the compromised server, further exacerbating the risk of data loss.

Mitigation Steps

To mitigate the risk of exploitation, Progress Software “advises administrators to block external traffic to ports 80 and 443 on the MOVEit Transfer server.”

However, it should be noted that this measure will limit external access to the web user interface, affect certain MOVEit Automation tasks, block APIs, and render the Outlook MOVEit Transfer plugin non-functional.

On the other hand, protocols like SFTP and FTP/s can still be used for file transfers.

Additionally, administrators are urged to “carefully inspect the ‘c:\MOVEit Transfer\wwwroot’ folder for any unexpected files, including backups or large file downloads.”

Such files could serve as indicators of compromise or ongoing data theft activities.

Until an official patch is released, organizations are strongly advised by Progress Software to shut down MOVEit Transfers and conduct thorough investigations to identify potential compromises before bringing the servers back online.

For more news and updates on Cybersecurity, visit The Cybersecurity Club.

Massive Luxottica Data Breach: 70M Customers Data Exposed

Update on Okta’s Response to its Security Incident

CISOs Struggle to get Cybersecurity Budgets: Report

WordPress Plugins Exposed Credentials of Over a Million Websites