With the rising complexity and scale of cyber-attacks, no software is immune to exploitation, and even the most secure platforms can fall prey to innovative threat actors. The recent zero-day vulnerability in MOVEit Transfer, a popular managed file transfer (MFT) software developed by Ipswitch, a subsidiary of Progress Software Corporation, serves as a stark reminder of this reality.
What is MOVEit Transfer?
Before delving into the details of the exploit, it’s crucial to understand the software at the heart of this issue. MOVEit Transfer is an MFT solution that allows enterprises to securely transfer files between business partners and customers using protocols such as SFTP, SCP, and HTTP-based uploads. It comes in two flavors: an on-premise solution managed by the customer and a cloud SaaS platform managed by the developer.
The Zero-Day Vulnerability
A zero-day vulnerability is a software flaw that is unknown to those who should be interested in mitigating the flaw. The term “zero-day” refers to the fact that the developers have “zero days” to fix the problem that has just become known to them. The recently discovered zero-day vulnerability in MOVEit Transfer has been used by hackers to steal data from multiple organizations.
This zero-day flaw was actively exploited to perform mass downloading of data from organizations. The exact timeline of the exploitation and the threat actors behind these attacks remain unclear, but it is known that numerous organizations have been breached and data stolen.
Following the discovery of the vulnerability, Progress Software Corporation issued a security advisory warning customers of the “Critical” vulnerability in MOVEit MFT. The advisory indicated that the vulnerability could lead to escalated privileges and potential unauthorized access to the environment. They strongly urged customers to take immediate action to protect their MOVEit Transfer environment while the team worked on producing a patch.
As an interim protective measure, Progress advised administrators to block external traffic to ports 80 and 443 on the MOVEit Transfer server, which would prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and disable the Outlook MOVEit Transfer plugin. However, the SFTP and FTP/s protocols could still be used for file transfers.
Progress also advised admins to check the ‘c:\MOVEit Transfer\wwwroot\’ folder for unexpected files, including backups or large file downloads, as these could be indicators that threat actors have stolen data or are in the process of doing so.
The specific details about the zero-day vulnerability have not been released, but based on the ports blocked and the specified location to check for unusual files, the flaw seems to be a web-facing vulnerability. Until a patch is available for their version, organizations are advised to shut down any MOVEit Transfers and perform a thorough investigation for compromise before applying the patch and bringing the server live again.
Recent Updates and Conclusion
As of June 2, 2023, the zero-day vulnerability has been patched. The vulnerability turned out to be an SQL injection, which was being exploited to escalate privileges and gain unauthorized data access. All versions of MOVEit Transfer were affected by this vulnerability.
Interestingly, after exploitation, the threat actor would drop a file named “human2.aspx” onto the system, which acted as a web shell. This web shell supported several parameters, which, when triggered, would initiate specific actions. For instance, without the ‘X-siLock-Comment’ parameter being set to the proper password, the system would return an HTTP 404 error code. The ‘X-siLock-Step1’ parameter was used for access, while ‘X-siLock-Step2’ and ‘X-siLock-Step3’ specified a directory and a filename, respectively.
ProgressSoftware has released an official patch for the vulnerability. However, before applying the patch, administrators are recommended to take certain actions, including disabling all HTTP and HTTPS traffic to their MOVEit Transfer environment, reviewing their environment for signs of compromise, and auditing and deleting any unauthorized files and user accounts. Once these steps are completed, the patch can be applied, and HTTP and HTTPS traffic can be re-enabled.
In conclusion, the MOVEit Transfer zero-day exploit underscores the continuous need for robust cybersecurity measures. In an era where digital data is of paramount importance, it is crucial for organizations to monitor their systems continuously, respond quickly to security advisories, and ensure that their systems are regularly updated and patched. The MOVEit Transfer incident serves as a stark reminder of the risks posed by zero-day vulnerabilities and the importance of proactive security measures.