HQ/EMEAFind out how we can help your business
A new threat has emerged as hackers capitalise on a zero-day vulnerability in the renowned MOVEit Transfer file transfer software. Tracked as CVE-2023-34362, this vulnerability has become a gateway for cybercriminals to infiltrate organisations and stealthily exfiltrate valuable data.
MOVEit Transfer, developed by Ipswitch under the umbrella of Progress Software Corporation, is a trusted managed file transfer (MFT) solution that enables secure file transfers between enterprises and their partners and customers through protocols like SFTP, SCP, and HTTP-based uploads.
With both on-premise and cloud-based options, Progress MOVEit Transfer offers flexibility and convenience, but its recent exploitation highlights the pressing need for heightened security measures in today’s digital landscape.
The abuse of the zero-day vulnerability in MOVEit Managed File Transfer (MFT) software involved hackers carrying out large-scale data downloads from multiple organisations.
Although the specific details regarding the timing and identities of the threat actors remain unclear, researchers have confirmed numerous breaches and data thefts. Recognising the severity of the situation, Progress, the developer of MOVEit MFT, issued a critical security advisory urging customers to take immediate action to safeguard their environments.
The developers have warned administrators to deter external traffic to server ports 80 and 443. While this action will effectively prevent external access to the web UI, hinder certain MOVEit Automation tasks, block APIs, and render the Outlook MOVEit Transfer plugin nonfunctional, the use of SFTP and FTP/s protocols for file transfers can still be maintained.
In addition, administrators are advised to thoroughly examine the ‘c:\MOVEit Transfer\wwwroot \’ folder for any unexpected files, including backups or large downloads, to ensure the integrity and security of the system.
Further studies indicate that approximately 2,500 MOVEit Transfer servers are exposed, most of which are in the US. Alarmingly, all compromised devices contained the same webshell named ‘human2.asp’ in the c:\MOVEit Transfer\wwwroot\ public HTML folder. The webshell’s code primarily checks for a specific password-like value in the X-siLock-Comment header of inbound requests, returning a 404 “Not Found” error if the value is absent, as explained by Rapid7.
A thorough investigation into the compromised webshell, ‘human2.asp,’ discovered within breached MOVEit Transfer servers, has uncovered that the script carries out a series of commands contingent upon the supplied password and the values found in the ‘X-siLock-Step1,’ ‘X-siLock-Step2,’ and ‘X-siLock-Step3’ request headers. This information sheds light on the level of control and flexibility afforded to malicious actors upon successful authentication, further emphasising the severity of the situation.
The identity of the threat actors remains uncertain, and no extortion attempts have been reported thus far.
More information also suggests that the impacted platform’s vulnerability extends to its SaaS platform, amplifying potential victims. This revelation was later corroborated by Progress Software, the developer of MOVEit, in a statement.
Although Progress Software has not explicitly confirmed active exploitation of the vulnerability in MOVEit Transfer, security experts have gathered evidence of numerous organisations falling victim to data theft utilising this zero-day flaw.
In response to the issue, immediate action was taken, including temporarily taking down MOVEit Cloud to ensure customer safety while evaluating the severity of the situation.
