MOVEit Transfer Vulnerability: Emerging Threat published

Summary

Update - June 16, 2023
‍A further vulnerability within MOVEit Transfer has been discovered and patches are available as of June 16, 2023.

Update - June 12, 2023
Additional vulnerabilities within MOVEit Transfer have been discovered and patches are available as of June 9, 2023.

A critical SQL injection vulnerability has been identified in Progress Software’s MOVEit Transfer product that is proven to result in unauthorised access to files and the ability for arbitrary code execution. It is being actively exploited with multiple high profile organisations reported to be affected. MOVEit Transfer is widely used for secure file transfer. Security patches are available for all supported versions of the software.

Threat Description

Progress Software posted a security advisory on May 31, 2023, detailing a critical vulnerability within its MOVEit Transfer product. MOVEit Transfer is an on-premises Managed File Transfer software, used by organisations globally for secure file transfer and collaboration.

All versions are affected, but patches are available and should be applied immediately.

Additional vulnerabilities within MOVEit Transfer have been discovered and patches are available as of June 9, 2023.

The MOVEit Cloud platform was also affected but has been patched and thoroughly tested, with important information for MOVEit Cloud customers here.

The SQL injection vulnerability allows an attacker to ultimately gain unauthenticated remote access to any file within the system. Huntress also report that arbitrary code execution is possible.

It is likely that the vulnerability has been actively exploited since at least May 28, 2023.

There are over 2500 servers exposed to the public internet around the world. Rapid7 have reported an uptick in the exploitation of the vulnerability since it was announced and advise remediation on an emergency basis.

Reports suggest that many high profile organisations have experienced data exfiltration, including contact and bank details.

Microsoft are attributing attacks to ‘Lace Tempest’ (aka Cl0p), a group known for ransomware and extortion. However other threat actors may also be actively exploiting the vulnerability.

The vulnerability was assigned CVE-2023-34362 on June 5, 2023.

Applicability

The threat is applicable to any organisations that make use of the Progress MOVEit Transfer software, which includes both blue chip enterprises and smaller businesses globally. There is a particularly high concentration of affected organisations within the United States, but the software is used worldwide.

In the UK, British Airways, Boots and the BBC have all been affected and payroll provider, Zellis, confirmed that a number of their customers have been impacted.

Relevance to the Supply Chain

It is important to understand the extent to which your supply chain is affected by this threat, particularly the potential impact from third parties that may use the Progress MOVEit Transfer software to transfer files to and from their customers.

Given the verified threat of unauthorised access to files and data exfiltration, any business files held by other organisations within the supply chain may be at risk of being breached, resulting in the loss of confidential information.

What should you do about it

There are immediate actions you should take to protect yourself from this threat.

If you are a customer of MOVEit Cloud, read the article here and review your audit logs for signs of unexpected file downloads.

If you use MOVEit Transfer in your own environments:

1. Identify which versions of the MOVEit Transfer software your organisation uses.
2. Immediately deny all HTTP and HTTPS traffic to your MOVEit Transfer environments until the patch is applied.
3. Look for signs of exploitation by following Progress Software’s instructions here.
4. A comprehensive list of known Indicators of Compromise (IoC) can be found here with particular emphasis on the presence of a human2.aspx file.
5. If any IoCs are found, follow your Incident Response policies and follow Rapid7’s advice on determining whether any files were exfiltrated.
6. Apply the relevant patches for your software version found here.
7. Re-enable HTTP and HTTPS traffic after verifying there are no further indicators of compromise.
8. Understand to what extent your suppliers or partners are affected, and support them through actions 1 to 5. Suppliers can self-report their status by logging into Risk Ledger.
9. [Update] Apply the new patches, released on June 9, 2023
10. [Update] Apply the new patches, released on June 16, 2023

Where to find more information

This is an evolving situation. You can keep up to date with the latest information on this threat by following…

• Progress Software’s Security Advisory: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
• [Update] Progress Software’s June 9th Security Advisory: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-Pending-Reserve-Status-June-9-2023
• TrustedSec’s Technical Analysis: https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
• Huntress’s Technical Analysis: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
• Rapid7’s reporting: https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
• The Nationaal Cyber Security Centrum (NCSC-NL)’s Github: https://github.com/NCSC-NL/Progress-MoveIT-CVE-2023/
• MITRE’s CVE-2023-34362 record: https://www.cve.org/CVERecord?id=CVE-2023-34362

To understand how your supply chain is affected by the MOVEit Transfer vulnerability, create your free account on Risk Ledger. You can find out more about how the Emerging Threats feature on Risk Ledger works here.