{"id":68320,"date":"2023-06-28T14:25:55","date_gmt":"2023-06-28T06:25:55","guid":{"rendered":"https:\/\/version-2.com\/?p=68320"},"modified":"2023-06-26T14:31:02","modified_gmt":"2023-06-26T06:31:02","slug":"navigating-the-moveit-transfer-vulnerabilities","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2023\/06\/navigating-the-moveit-transfer-vulnerabilities\/","title":{"rendered":"Navigating the MOVEit Transfer vulnerabilities"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/p>

Last week, Progress Software released yet another patch for the MOVEit file transfer software to address the third in a series of recently discovered vulnerabilities.<\/p>

If exploited, these vulnerabilities allow an unauthenticated attacker to gain unauthorized access to a MOVEit Transfer database. MOVEit users are urged to apply the latest patch. Until they have done so, software users should follow the mitigation steps provided by the MOVEit<\/a> team and prepare to update as soon as possible.<\/p>

Likewise, organizations should also investigate the indicators of compromise published by CISA<\/a> and Progress Software<\/a> to determine whether their networks have been potentially compromised. ESET security products detect the webshell payloads seen in the attacks as ASP\/Webshell.LZ. Hence
ESET PROTECT customers can search for this detection name as a way of checking whether they have been attacked:<\/p>

<\/p>

A search result of \u201cNo results found<\/strong>\u201d means you have likely not been attacked. However, any hits from the search should trigger a review of the detections on the specific computers\/servers where the detections occurred. ESET Inspect customers can see more detail on the actions that occurred prior to the detection of the webshells.

If you have purchased an ESET security service<\/a>, such as ESET Detection and Response Advanced<\/strong>, make sure to request a threat hunt<\/strong> by one of our security specialists. If you have ESET Detection and Response Ultimate<\/strong>, then our security specialists have likely already performed a hunt<\/strong> in your environment and are actively monitoring for any threat activity related to this attack.

If the installed ESET protection detects<\/strong> ASP\/Webshell.LZ within the environment, the customer will want to:
– Verify that they have applied patches as per Progress MOVEit\u2019s<\/a> advisory
– Review MOVEit IIS logs for known indicators of compromise showing the use of known malicious human2.aspx. This will supply them with dates of the first attempted uses of the malicious webshell, and IP Addresses used by attackers to use the webshell.
\u00a0 o\u00a0\u00a0\u00a0 GET \/human2.aspx<\/p>