Threat Actors Exploiting MOVEit Transfer Zero-Day

Threat actors are actively exploiting a zero-day vulnerability in MOVEit Transfer, a Managed File Transfer (MFT) solution. Here’s what you need to know.

What is MOVEit Transfer?

MOVEit Transfer is a solution developed by Ipswitch, a subsidiary of U.S.-based Progress Software Corporation. It allows for the ability to transfer sensitive data internally and to third parties while maintaining compliance with regulations including HIPAA, GDPR and PCI. Thousands of organizations use this software, including Chase, Disney, GEICO and MLB.

Tell me about the MOVEit Zero-Day Vulnerability

Progress Software has released a security advisory about the MOVEit zero-day vulnerability, warning of escalated privileges and potential unauthorized access – allowing threat actors to steal data from companies that use the software. The exploitation has enabled massive data theft from organizations, and as of publishing, it is unclear which threat actors are behind these attacks.

Progress advises blocking external traffic to ports 80 and 443 on the MOVEit server and recommends checking the ‘c:\MOVEit Transfer\wwwroot’ folder for unexpected files.

The company also recommends checking for large downloads or unexpected backups, over at least the past 30 days. The vulnerability appears to be web-facing, given the advised ports to block and the location to check for unusual files.

Security researchers have identified that the MOVEit flaw is a SQL injection vulnerability, which enables remote code execution (RCE). There are approximately 2,500 exposed MOVEit servers, mainly in the U.S., and the same webshell was found on all exploited devices. Various commands can be executed when this webshell is accessed, enabling the threat actor to retrieve and download information, including data, directly from the victims’ Azure Blob Storage containers.

Exploitation of this zero-day vulnerability started over the long U.S. Memorial Day holiday. Currently, no extortion has taken place, and as stated previously, the identity of the threat actors remains unclear.

What is Nuspire doing?

Nuspire is not affected by this vulnerability; however, the company actively threat hunts within client environments for indications of compromise.

What should I do?

Unfortunately, not all versions have available patches as of writing. Progress’ security advisory states that the company is actively testing patches and releasing them as soon as they are available. Supported versions are listed here.

Regardless of version, mitigation steps are provided on their security advisory.

  • Organizations using MOVEit Transfer should immediately apply mitigating steps as described in the above linked advisory.
  • If a patch is available for your version, prioritize applying it as soon as possible. Threat actors are actively exploiting this vulnerability. If a patch is not available, continue to monitor until one is.

Have you registered for our next event?