The zero-day vulnerability in Progress Software's MOVEit Transfer product is being exploited by the Clop ransomware gang and other copycat cybercriminal groups to expedite the theft of sensitive data from customer databases. To protect your organization from compromise, follow the recommended response actions in this blog.
Learn how UpGuard streamlines Vendor Risk Management >
What is the MOVEit Zero Day Vulnerability
The MOVEIT Transfer vulnerability (CVE-2023-35708) is a security vulnerability in MOVEit Transfer - a Managed File Transfer solution for transferring files securely between organizations. If exploited, this critical vulnerability could facilitate privileged escalation, allowing threat actors to access a MOVEit Transfer database and exfiltrate its data to their command-and-control servers.
This zero-day was first discovered by Ransomware-as-a-Service gang Lace Tempest, known for using the Cl0p ransomware malware. Here's an example of a ransomware message delivered by the Cl0p ransomware gang after exploiting CVE-2023-34362. Though the first instances of exploitation were officially confirmed on May 27, 2023, clop hackers may have been experimenting with cyberattacks connected to this vulnerability since 2021.
Learn how to respond to the Fortigate SSL VPN vulnerability >
Learn how to defend against Ransomware Attacks >
According to an announcement on their dark web leak site, Cl0p claims to have compromised 27 companies through this vulnerability across various sectors, including healthcare and financial services. Among the prestigious names in this list is UK-based energy gain Shell.
The United States government has confirmed that several federal agencies have also fallen victim to attacks linked to the MOVEit Transfer vulnerability, with two critical infrastructure entities likely to be included in this list.
How Does Exploitation Happen?
MOVEit transfer sends encrypted data over several protocols:
- SFTP (SSH)
- FTPS
- Via an API linked to a webpage
- Direct web page upload/download.
However, only the webpage feature is impacted by the exploit using an SQL Injection vulnerability.
An SQL Injection is a type of cyberattack where hackers enter commands into a log-in form to extract data from an underlying database.
Attackers could also use SQL injection to learn about the structure of a MOVEit Transfer database in preparation for a future data breach, or delete databases to create extortion opportunities from resulting business disruptions - similar to the tactics used in DDoS attacks.
Different forms of this cyberattack are maturing, with some resulting in extreme outcomes like leakage of the entire databases, unauthorized file access, and, ultimately, remote code execution.
The broadening impact potential of these attacks has resulted in several overlapping vulnerabilities raised by NIST, including:
How to Safeguard Your Business Against MOVEIT Cyberattacks
These immediate cybersecurity responses should be actioned before patches are applied to reduce the risk of exploitation during the patching process.
These response actions have been sourced from Progress Software’s post.
Step 1: Disable all HTTP and HTTPS traffic to your MOVEit Transfer environment
Configure your firewall to deny all HTTP and HTTPS traffic to MOVEit Transfer. Only reinstate traffic AFTER patches have been applied.
HTTP and HTTPS traffic to your MOVEit Transfer environment should be disabled on ports 80 and 443.
Note: After disabling this traffic, SFTP and FTP protocols will continue operating as usual, but the following functions will not be operational:
- Logging into MOVEit Transfer via the Web User Interface
- Any MOVEit Automation tasks depending on the native MOVEit Transfer host
- Any REST, Java, and .NET APIs.
- The MOVEit Transfer Outlook add-on.
A workaround for not being able to log in via the web UI is to use a remote desktop to connect to the Windows machine and then load https://localhost/
Learn more about Progress Software’s remote access policy >
Step 2: Delete all Unauthorized Files and Accounts
(i). Delete Human2.aspx and .cmdline files
Find any instances of the following files and delete them. Also, delete any files where these names occur as prefixes.
- human2.aspx
- .cmdline
(ii). Delete New files in the C:\MOVEitTransfer\wwwroot\ directory.
The presence of human2.aspx files in this directory is evidence of exploitation in progress. Here’s an example of traffic in an IIS log during a live MOVEit exploit attack.
(iii). Delete New files in C:\Windows\TEMP\[random]\ directory
Look for files within the MOVEit Transfer server containing the extension [.]cmdline and delete them.
(iv). New APP_WEB_[random].dll files
To remove new APP_WEB_[random].dll files, follow this process:
- Stop IIS - iisreset /stop
- Delete any new APP_WEB_[random].dll files contained in C:\Windows\Microsoft. NET\Framework64\[version]\Temporary ASP. NET Files\root\[random]\[random]\
- Start IIS - iireset /start
(v). Remove all Unauthorized Accounts
Prevent unauthorized access by removing all instances of unauthorized accounts. Refer to the documentation below for guidance.
How to manage user accounts in MOVEit Transfer >
(vi). Remove all Active Sessions
Remove all active sessions by signing in as a System Administrator, navigating to “Session Manager,” and selecting “Remove all Sessions.”
(vii). Remove Downloads from Unknown IP Addresses
Parse Moveit Transfer logs for any downloads initiated by unknown IP addresses. Refer to this documentation from Moveit for guidance.
(viii). Check Logs for GET /human2.aspx events
The presence of these events is indicative of an automated attack chain attempting to deploy the human2.aspx web shell.
(ix). Check for Unauthorized Access to Azure Blog Storage Keys
Check Azure logs for events indicating access to storage keys and rotate any keys you suspect to be impacted.
How to manage Azure storage account access keys >
Step 3: Reset Service Account Credentials
After all of the above steps have been completed, update all user account passwords for all affected systems as well as your MOVEit Service Account.
How to change your Windows Service Account Password >
Step 4: Install MoveIT Transfer Patches
Install patches for all affected versions of MOVEIT Transfer within your ecosystem. All affected versions of MOVEit Transfer and their corresponding patched fixes are listed below.
- Affected: MOVEit Transfer 2023.0.0 (15.0)
- Fixed: MOVEit Transfer 2023.0.2 (15.0.2)
- Download the fixed version
- Affected: MOVEit Transfer 2022.1.x (14.1)
- Fixed: MOVEit Transfer 2022.1.6 (14.1.6)
- Download the fixed version
- Affected: MOVEit Transfer 2022.0.x (14.0)
- Fixed: MOVEit Transfer 2022.0.5 (14.0.5)
- Download the fixed version
- Affected: MOVEit Transfer 2021.1.x (13.1)
- Fixed: MOVEit Transfer 2021.1.5 (13.1.5)
- Download the fixed version
- Affected: MOVEit Transfer 2021.0.x (13.0)
- Fixed: MOVEit Transfer 2021.0.7 (13.0.7)
- Download the fixed version
- Affected: MOVEit Transfer 2020.1.x (12.1)
- Fixed: Special patch (12.1)
- Download special patch
- Affected: MOVEit Transfer 2020.0.x (12.0) or older
- Fix: Must upgrade to a supported version
- Affected: MOVEit Cloud
- Fixed: Prod: 14.1.6.97 or 14.0.5.45
- All MOVEit Cloud systems should be fully patched (see Cloud status page).
Step 5: Confirm Removal of Malicious Files and Accounts
Repeat all the tasks in step 2. If any malicious files or accounts are found, delete them, reset service account credentials, and then repeat step 2 until no more indicators of compromise are found.
Step 6: Apply the Latest Patches for CVE -2023-35708
The exploit tactics for this MOVEit Transfer vulnerability are continuously evolving. Keep your remediation efforts and cyber threat awareness sharpened by following the latest patch release news on this Progress Community page.
You can also track the latest updates about the MOveit Transfer and Moveit Cloud vulnerabilities on this Progress Security page.
Step 7: Enable all HTTP and HTTPS Traffic to your MOVEit Transfer environment
Now that all malicious files and accounts have been removed and patches have been applied, HTTP and HTTPS traffic can be reinstated to your MOVEit Transfer ecosystem.
Step 8: Continuously Monitor for Indicators of Compromise
Continuously monitor all endpoints and network traffic logs against the Indicators of Compromise provided by Progress Software. The IoC file can be downloaded at the bottom of this page.
Your monitoring efforts should extend to the third-party vendor network to prevent this zero-day vulnerability from facilitating third-party breaches. However, given the non-invasive policy of most reputable attack surface scanning solutions, these scans cannot confirm which versions of IT MOVE Transfer your vendors are running.
UpGuard has created a workaround for this by updating its scanning capabilities to detect where MOVEit Transfer is running and if HTTP is running/accessible to the internet.
The UpGuard platform can detect potential MOVEit Transfer vulnerabilities by detecting the following risks:
1. MOVEIt Transfer with HTTP or HTTPS port open detected.
2. MOVEIt Transfer has been detected with HTTP not available
When these risks are detected, customers can send a personalized remediation request message or a customized risk assessment addressing the specific IoCs of MOVEit Transfer from the UpGuard platform.
Watch the video below for an overview of UpGuard's remediation request feature.
Additional MOVEit Transfer Protection Strategies
Follow these additional mitigation steps to further reduce your impact potential.
- Update Firewall Rules - Configure your firewall to only permit MOVEit Transfer environment connections from trusted IP addresses.
- Update Remote Access Policies - Only permit inbound connection requests from trusted IP addresses. For guidance on remote access management in the MOVEit Transfer environment, refer to this SySAdmin rule guide and Remote Access guide.
- Enable Multi-Factor Authentication - Secure all MOVEit Transfer accounts with MFA, especially given the current heightened risk of these accounts being compromised in dark web forums. For guidance on applying MFA to MOVEit Transfer accounts, refer to this documentation.
Learn how UpGuard detects data leaks > - Update Incident Response Plans - Update your response plan to address the remediation steps outlined above and the suggestions in this advisory by the Cybersecurity and Infrastructure Security Agency (CISA). Also, bookmark this Progress Software blog to stay informed of any emerging updates impacting previous remediation suggestions.
- Unusual Network Traffic - Monitor for unusual network traffic fluctuations, similar to the characteristics of exfiltration processes and Advanced Persistent Threats (APTs). How is the MOVEit Transfer Vulnerability Being Exploited?
- Implement Zero Trust - A zero-trust architecture could prevent hackers from reaching your sensitive data after a network breach. Zero trust should, ideally, also be implemented throughout your supply chain to reduce the risk of incidents resulting from compromised third-party vendors.
