A major cybersecurity vulnerability has been identified and exploited in MOVEit Transfer software, an application developed by Progress Software Corporation subsidiary, Ipswitch. The software, widely used for secure data transfers between businesses and customers, has been under attack from unknown hackers exploiting the zero-day vulnerability known as CVE-2023-34362.
Progress Software has issued a critical security advisory, urging all customers using MOVEit Transfer to take immediate precautionary measures. The developers also recommend blocking external traffic to ports 80 and 443 on MOVEit Transfer servers until patches are fully installed.
The restriction of these ports, although necessary, will disrupt certain operations such as external access to the web UI, some MOVEit Automation tasks, API functions, and the functionality of the Outlook MOVEit Transfer plugin. However, secure file transfer protocols like SFTP and FTP/s can still be employed.
Progress advises administrators to vigilantly inspect the 'c:\MOVEit Transfer\wwwroot' directory for unexpected files to indicate potential data theft. More specific details about the vulnerability are yet to be disclosed.
Uncovering the Zero-Day Breach
Cybersecurity firm Rapid7 has identified the zero-day flaw in MOVEit Transfer as an SQL injection vulnerability that leads to remote code execution. Rapid7 discovered approximately 2,500 exposed MOVEit Transfer servers, primarily in the United States.
The webshell found in all exploited devices, named 'human2.asp', resides in the public HTML folder and can execute a series of commands if accessed with the correct password. These commands enable the attacker to retrieve various types of information from the MOVEit Transfer MySQL server, including lists of stored files, user details, Azure Blob Storage account configurations, and the ability to download server files.
Moreover, many admins have reported discovering multiple, unexpected App_Web_<random>.dll files after breaches, where typically only one should be present. It was also revealed that the breach likely began over the long US Memorial Day weekend when system monitoring was at its minimum.
Ensuring Organizational Security
Experts recommend that organizations shut down any MOVEit Transfers until a patch has been released and a thorough investigation for compromise has been conducted. Charles Carmakal, CTO of Mandiant, strongly suggests that all organizations using MOVEit Transfer should conduct a forensic examination to ascertain whether their system was compromised and if data was stolen.
Organizations should prepare for possible extortion and public exposure of their stolen data. Furthermore, Progress Software has confirmed that the MOVEit Cloud platform was impacted, potentially broadening the victim base. Until the threat has been completely neutralized, organizations should follow the mitigation steps provided by Progress for on-premise and cloud-based systems.
Currently, no attempts at extortion have been reported, but organizations must remain vigilant and proactive in their security efforts to avoid further breaches.
Microsoft Attributed attacks to Lace Tempest
Today, Microsoft has attributed attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims.
Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7j
— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023
Microsoft noted,
"Exploitation is often followed by deployment of a web shell w/ data exfil capabilities. CVE-2023-34362 allows attackers to authenticate as any user. Lace Tempest (Storm-0950, overlaps w/ FIN11, TA505) authenticates as the user with the highest privileges to exfiltrate files."
Microsoft strongly urges organizations affected by the CVE-2023-34362 MOVEit Transfer vulnerability to apply security patches and perform mitigation actions provided by Progress in their security advisory.
Additionally, they added, Microsoft Defender Threat Intelligence and Microsoft 365 Defender published articles with IOCs, detections, and hunting guidance. Microsoft will continue to monitor these attacks and work with Progress and other partners on intelligence sharing.