Warning: MOVEit vulnerability is abused in attacks, data extradicted

Stop - Pixabay[German]Do any of you use the MOVEit Managed File Transfer (MFT) software? There is a vulnerability in the MOVEit Managed File Transfer (MFT) solution that allows privilege escalation and unauthorized access to the software's environment. The German Federal Office for Information Security (BSI) has issued a threat level 4 warning. This is because it is now known that the MOVEit Transfer Zero Day vulnerability is being exploited on a large scale to steal data. In the meantime, however, security updates are available, and administrators must perform additional checks for compromises.


What is MOVEit?

MOVEit is a Managed File Transfer (MFT) software that enables transfer of files between different computers. The software is developed by Ipswitch, a subsidiary of the US company Progress Software Corporation. MOVEit is often used in companies to exchange files between customers or business partners via the Internet. Uploads are supported via the SFTP, SCP and HTTP protocols to transfer the files securely.

The company touts that "Progress MOVEit is the leading managed file transfer (MFT) software used by thousands of organizations around the world to provide complete visibility and control over file transfer activities. Whether deployed as a service, in the cloud or on-premise, MOVEit enables your organization to meet compliance standards, easily ensure the reliability of critical business processes, and securely transfer sensitive data between partners, customers, users and systems."

SQL Injection Vulnerability in MOVEit

Vendor Progress has issued a security advisory as of May 31, 2023, warning of several critical vulnerabilities in its Managed File Transfer (MFT) software, MOVEit. The alert states, "Progress has discovered a vulnerability in MOVEit Transfer that could lead to elevated privileges and potentially unauthorized access to the environment."

This is an SQL injection vulnerability for which no CVE value has been assigned yet. The SQL injection vulnerability was found in the MOVEit Transfer web application. This vulnerability could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database, the security advisory states.

Depending on the database engine used (MySQL, Microsoft SQL Server or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that modify or delete database elements.


Take immediate action

All (unpatched) Progress MOVEit Transfer versions are affected (see below). In the security advisory, the vendor also recommends disabling all HTTP and HTTPs traffic to the MOVEit Transfer environment until the available security updates are installed. It is recommended that firewall rules be set to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until one of the subsequent patches can be applied. However, this disabling has the following limitations:

  • Users are unable to log in to the MOVEit Transfer web UI.
  • MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
  • REST, Java, and .NET APIs will not work.
  • MOVEit Transfer add-in for Outlook will not work

In addition, administrators should inspect the MOVEit environment and check if any unknown files and user accounts have been created there by third parties. Specifically, delete unauthorized files and user accounts.

  • Delete all instances of the human2.aspx and .cmdline script files.
  • On the MOVEit Transfer server, search for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
  • On the MOVEit Transfer server, look for any new files created in the C:\Windows\TEMP\[random]\ directory with the [.]cmdline file extension.
  • Remove all unauthorized user accounts.

In addition, administrators should check the logs (transfer logs) for unexpected downloads of files from unknown IPs or for a large number of downloaded files. And reset the credentials for the service account for the affected systems and the MOVEit service account.

MOVEit Transfer security updates

All Progress MOVEit Transfer prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1) are affected. However, the vendor has provided security updates to close the vulnerability. The following table shows an overview of the affected and patched versions – the links are available in the security advisory.

MOVEit Transfer Patches

After applying the patch, the blocking of HTTP and HTTPs traffic to the MOVEit Transfer environment can be allowed again.

Mass attack observed, CERT warning

German blog reader Stefan A. emailed me last night to let me know that the German CERT (BSI) has released a warning (thanks for that).

The colleagues at Bleeping Computer also warns of attacks via the vulnerability in the article New MOVEit Transfer zero-day mass-exploited in data theft attacks. According to the article, Bleeping Computer has evidence that threat actors have exploited this zero-day vulnerability in MOVEit software to mass download data from companies. However, according to the article, it is unclear from when the vulnerability was exploited and which threat actors were behind the attacks.  According to BleepingComputer, numerous organizations were attacked and data was stolen.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *