MOVEit file transfer software zero-day alert - what happened and what to do now

June 16, 2023 Justin Teixeira
Sophos Cybersecurity, Cyber Threat, Cyberangriffe

Earlier this month, Progress Software, the application infrastructure software specialist for building, integrating and managing business environments, reported a critical vulnerability (CVE-2023-34362) in its MOVEit Transfer product and related MOVEit cloud solutions.

As the name suggests, MOVEit Transfer is a system that enables easy storage and sharing of files between teams, departments, companies and even supply chains. In this case, the MOVEit web interface, which allows file sharing and management via a web browser, was found to have an SQL injection vulnerability. This type of file sharing is popular as it is generally believed that the chances of the process being misdirected or "lost" are lower than with email sharing.

The good news in this case is that Progress patched all supported MOVEit versions, as well as its cloud-based service, as soon as the company became aware of the vulnerability. Customers using the cloud version are automatically up to date, versions running on their own network need to be actively patched.

The bad news is that this vulnerability is a zero-day vulnerability, which means that Progress discovered it because cybercriminals exploited it. In other words, the fraudulent commands could have been injected into the MOVEit SQL Server database before the patch was released, which could lead to a number of possible consequences:

Deletion of existing data. The classic result of an SQL injection attack is large-scale data destruction.

Exfiltration of existing data. Instead of deleting SQL tables, attackers could inject their own queries and thus not only learn the structure of internal databases, but also extract and steal important parts.

Modification of existing data. Attackers may decide to corrupt or destroy data instead of stealing it.

Implantation of new files, including malware. Attackers could inject SQL commands that in turn launch external system commands, allowing arbitrary remote code execution within a network.

An attacker group, believed by Microsoft to be part of (or affiliated with) the infamous Clop ransomware group, has apparently exploited this vulnerability to inject so-called web shells into affected servers.

What to do

If you are a MOVEit user, make sure that all instances of the software on your network are patched
If you are currently unable to patch, turn off the web-based (HTTP and HTTPS) interfaces to your MOVEit servers until you can. Apparently this vulnerability is only exposed via the MOVEit web interface, not via other access routes such as SFTP.
Scan your logs for newly added web server files, newly created user accounts and unexpectedly large data downloads. Progress has a list of locations to search as well as the file names and locations to search.
If you are an SQL programmer, use parameterized queries instead of generating query commands that contain characters controlled by the person sending the query.

Progress suspects that many, if not most, of the web shell attacks investigated to date may contain a misleading web shell file named human2.aspx, possibly along with other malicious files with the .cmdline extension. Sophos products detect and block web shell files named Troj/WebShel-GO, regardless of whether they are named human2.aspx or not.

However, it is important to remember that if other attackers were aware of this zero-day before the patch was released, they may have injected other and possibly more subtle commands that cannot be detected by simply scanning for leftover malware or searching for known filenames that may appear in logs.

MOVEit file transfer software zero-day alert - what happened and what to do now

Payment methods

Shipping methods

Certifications

Memberships