New MOVEit Transfer Zero-Day Mass-Exploited in Data Theft Attacks

Cyber Security Threat Summary:
Cybercriminals are taking advantage of a zero-day vulnerability in the MOVEit Transfer software. This vulnerability allows them to illicitly obtain data from targeted organizations. MOVEit Transfer is a managed file transfer (MFT) software designed by Ipswitch, a subsidiary of Progress Software Corporation based in the United States. It facilitates secure file transfers between enterprises, business partners, and customers using protocols like SFTP, SCP, and HTTP-based uploads. Progress offers two options for utilizing MOVEit Transfer: an on-premise solution that is managed by the customer, and a cloud-based Software-as-a-Service (SaaS) platform managed by the developer. According to Progress, MOVEit is employed by numerous enterprises, including prominent names like Chase, Disney, GEICO, and MLB. In addition, it is utilized by 1,700 software companies and serves a vast community of 3.5 million developers.

“BleepingComputer has learned that threat actors have been exploiting a zero-day in the MOVEit MFT software to perform mass downloading of data from organizations. It is unclear when the exploitation occurred and which threat actors are behind the attacks, but BleepingComputer has been told that numerous organizations have been breached and data stolen. Yesterday, Progress released a security advisory warning customers of a "Critical" vulnerability in MOVEit MFT, offering mitigations while a patch is tested. "Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment," reads a security advisory from Progress. "If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch." As a patch is unavailable while it is being tested, Progress has released mitigations that MOVEit admins can use to secure their installations” (Bleeping Computer, 2023).

In order to prevent potential exploitation, administrators are being cautioned by the developers to block external traffic to ports 80 and 443 on the MOVEit server. However, Progress emphasizes that this action will restrict external access to the web user interface, disruption of certain MOVEit Automation tasks, blocking of APIs, and the inability to use the Outlook MOVEit plugin. Nevertheless the SFTP and FTP protocols can still be utilized for file transfers. Additionally, administrators are urged to carefully examine the 'c:\MOVEit Transfer\wwwroot' folder for any unexpected files, including backups or large file downloads. According to information obtained by BleepingComputer, the presence of significant downloads or unusual backups suggests that threat actors may have already accessed or stolen data.

Security Officer Comments:
No specific details regarding the zero-day vulnerability have been disclosed. However, it is likely that the vulnerability is a webfacing vulnerability, considering the blocked ports and the specified location for file inspection. As a precautionary measure, organizations are strongly advised to temporarily halt any MOVEit Transfers, conduct a comprehensive investigation for potential compromises, and then proceed to apply the patch and restore server operations once it becomes available. Although Progress has not explicitly confirmed active exploitation of the vulnerability, BleepingComputer has gathered information about several organizations that have fallen victim to data theft through the use of the zero-day vulnerability. At this time, the threat actors have not begun extorting victims, so it is unclear who is behind the attacks.

Suggested Correction(s):
Progress Software Corporation recommends immediately following these mitigations to help prevent unauthorized access to your MOVEit Transfer environment:

Step 1: Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. If you require additional support, please immediately contact Progress Technical Support by opening a case via https://community.progress.com/s/supportlink-landing. It is important to note, that until HTTP and HTTPS traffic is enabled again:
Users will not be able to log on to the MOVEit Transfer web UI
MOVEit Automation tasks that use the native MOVEit Transfer host will not work
REST, Java and .NET APIs will not work
MOVEit Transfer add-in for Outlook will not work
Please note: SFTP and FTP/s protocols will continue to work as normal

As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.
For more information on localhost connections, please refer to MOVEit Transfer Help: https://docs.progress.com/bundle/mo...3/page/Security-Policies-Remote-Access_2.html

Step 2: Check for the following potential indicators of unauthorized access over at least the past 30 days: Creation of unexpected files in the c:\MOVEit Transfer\wwwroot\ folder on all your MOVEit Transfer instances (including back-ups) Unexpected and/or large file downloads
If you do notice any of the indicators noted above, please immediately contact your security and IT teams and open a ticket with Progress Technical Support at: https://community.progress.com/s/supportlink-landing.

Step 3: Patches for all supported MOVEit Transfer versions are being tested and links will be made available below as they are ready. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle.

Link(s):
https://www.bleepingcomputer.com/ https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023