Reports of active exploitation of a zero-day vulnerability in the MOVEit file transfer software are making the rounds this week. The vendor, Progress Software, has released an advisory and this issue has now been assigned CVE-2023-34362. Attackers are abusing a SQL injection vulnerability in the web interface of MOVEit to deploy a web shell and gain access to the data stored within the platform.
What is the MOVEit Managed File Transfer service?
The MOVEit Managed File Transfer is Windows-based application that supports secure file transfers through a web interface, as well as using SSH and SFTP. Progress Software states that “MOVEit provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA and GDPR”. MOVEit is widely used for transferring sensitive information between a regulated organization and outside parties. MOVEit services are exposed to the internet by design, as this is necessary for users outside of the organization to use the service.
What is the impact?
Multiple security service providers, including Rapid7 are reporting active exploitation of this issue, with the attack resulting in the installation of “web shell”, often accessed through the path “/human2.aspx”. Progress Software’s advisory indications that users should look for indicators of compromise (IoCs) going back at least 30 days, indicating that this issue may have been actively exploited for weeks, and is only now coming to light. A compromise of the MOVEit server can lead to full exposure of all files managed by the service, access to the user database of the service, and could provide a foothold into the organization’s network, depending on network segmentation rules.
Are updates available?
On May 31th, Progress posted an advisory, including a download link to a patch. This advisory also describe some of the indicators of compromise and what paths and types of logs to look for to determine if the system was breached.
How do I find potentially vulnerable Progress MOVEit Managed File Transfer services with runZero?
From the Service inventory, use the following prebuilt query to locate all Progress MOVEit Managed File Transfer web services across your network:
_asset.protocol:http protocol:http (http.head.setCookie:"MIDMZLang" OR favicon.ico.image.md5:9dffe2772e6553e2bb480dde2fe0c4a6)
Results from the above query should be reviewed for indicators of compromise and updated with the latest patch from Progress.
As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.
Get runZero for free
Don’t have runZero and need help finding MOVEit Managed File Transfer services?
About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
