[UPDATED] Active Exploitation of Zero-Day Vulnerability in MOVEit Transfer
Published on 02 Jun 2023 | Updated on 03 Jun 2023
Progress Software has released security updates to address a zero-day vulnerability (CVE-2023-34362) in MOVEit Transfer, a managed file transfer software. The vulnerability is reportedly being actively exploited.
Successful exploitation of the SQL injection vulnerability in the MOVEit Transfer web application could allow an unauthenticated attacker to gain unauthorised access to the MOVEit Transfer environment, potentially resulting in remote code execution and data exfiltration.
The vulnerability affects the following product versions:
- MOVEit Transfer 2023.0.0 (15.0.0)
- MOVEit Transfer 2022.1.x (14.1.x)
- MOVEit Transfer 2022.0.x (14.0.x)
- MOVEit Transfer 2021.1.x (13.1.x)
- MOVEit Transfer 2021.0.x (13.0.x)
- MOVEit Transfer 2020.1.x (12.1.x)
Users and administrators of affected product versions are advised to update to the latest versions immediately.
Users and administrators who are unable to update their affected products immediately are advised to disable all HTTP and HTTPs traffic to their MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 as a workaround. It should be noted that applying the aforementioned workaround will also lead to the following (until HTTP and HTTPs traffic are enabled again):
- Users will not be able to log on to the MOVEit Transfer web UI
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work
- REST, Java and .NET APIs will not work
- MOVEit Transfer add-in for Outlook will not work
Applying the above workaround will not affect SFTP and FTP/s protocols. Users and administrators will also still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.
Users and administrators should also check for indicators of unauthorised access over the past 30 days on all their MOVEit Transfer instances (including back-ups). These include the following:
- Any instances of human2[.]aspx and [.]cmdline script files
- Creation of new/unexpected files in the c:\MOVEit Transfer\wwwroot\ directory
- Creation of new/unexpected files in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
- Unexpected and/or large file downloads from unknown IPs
Users and administrators using affected products are also advised to scan their systems for the following host and network indicators of compromise (IOCs):
| Indicator | Type |
|---|---|
| C:\Windows\TEMP\[random]\[random][.]cmdline | Folder Path |
| human2[.]aspx | Filename |
| human2[.]aspx[.]lnk | Filename |
| POST /moveitisapi/moveitisapi[.]dll | HTTP POST |
| POST /guestaccess[.]aspx | HTTP POST |
| POST /api/v1/folders/[random]/files | HTTP POST |
| Health Check Service | User Account |
| 5[.]252[.]189[.]0/24 | CIDR |
| 5[.]252[.]190[.]0/24 | CIDR |
| 5[.]252[.]191[.]0/24 | CIDR |
| 198[.]27[.]75[.]110 | IPv4 |
| 209[.]222[.]103[.]170 | IPv4 |
| 84[.]234[.]96[.]104 | IPv4 |
| 138[.]197[.]152[.]201 | IPv4 |
| 209[.]97[.]137[.]33 | IPv4 |
| 148[.]113[.]152[.]144 | IPv4 |
| 89[.]39[.]105[.]108 | IPv4 |
| 5[.]252[.]23[.]116 | IPv4 |
| 5[.]252[.]25[.]88 | IPv4 |
| 198[.]12[.]76[.]214 | IPv4 |
| Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36 | User Agent |
| dojustit[.]mooo[.]com | Domain |
| C:\Windows\Microsoft[.]NET\Framework64\v4.0.30319\Temporary ASP[.]NET Files\root\[random]\[random\App_Web_[random][.]dll | Filename |
| 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | SHA256 Hash |
| 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | SHA256 Hash |
| 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | SHA256 Hash |
| 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | SHA256 Hash |
| 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | SHA256 Hash |
| 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | SHA256 Hash |
| a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | SHA256 Hash |
| b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | SHA256 Hash |
| cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | SHA256 Hash |
| ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | SHA256 Hash |
| 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | SHA256 Hash |
| 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | SHA256 Hash |
| 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | SHA256 Hash |
| 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | SHA256 Hash |
| 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | SHA256 Hash |
| 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | SHA256 Hash |
| a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | SHA256 Hash |
| b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | SHA256 Hash |
| cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | SHA256 Hash |
| ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | SHA256 Hash |
| GET /human2[.]aspx | HTTP Request |
If there are any indicators observed or if additional support is required, users and administrators are advised to contact Progress Technical Support by opening a case via https://community.progress.com/s/supportlink-landing.
Users and administrators are also advised to report any incidents involving the exploitation of the MOVEit Transfer vulnerability (or any other cybersecurity incidents) to SingCERT at https://go.gov.sg/singcert-incident-reporting-form.
More information is available here:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
