- Home
- Alerts & Advisories
- Alerts
- [UPDATED] Active Exploitation of Zero-Day Vulnerability in MOVEit Transfer
Alerts
[UPDATED] Active Exploitation of Zero-Day Vulnerability in MOVEit Transfer
2 June 2023
Progress Software has released security updates to address a zero-day vulnerability (CVE-2023-34362) in MOVEit Transfer, a managed file transfer software. The vulnerability is reportedly being actively exploited.
Successful exploitation of the SQL injection vulnerability in the MOVEit Transfer web application could allow an unauthenticated attacker to gain unauthorised access to the MOVEit Transfer environment, potentially resulting in remote code execution and data exfiltration.
The vulnerability affects the following product versions:
MOVEit Transfer 2023.0.0 (15.0.0)
MOVEit Transfer 2022.1.x (14.1.x)
MOVEit Transfer 2022.0.x (14.0.x)
MOVEit Transfer 2021.1.x (13.1.x)
MOVEit Transfer 2021.0.x (13.0.x)
MOVEit Transfer 2020.1.x (12.1.x)
Users and administrators of affected product versions are advised to update to the latest versions immediately.
Users and administrators who are unable to update their affected products immediately are advised to disable all HTTP and HTTPs traffic to their MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 as a workaround. It should be noted that applying the aforementioned workaround will also lead to the following (until HTTP and HTTPs traffic are enabled again):
Users will not be able to log on to the MOVEit Transfer web UI
MOVEit Automation tasks that use the native MOVEit Transfer host will not work
REST, Java and .NET APIs will not work
MOVEit Transfer add-in for Outlook will not work
Applying the above workaround will not affect SFTP and FTP/s protocols. Users and administrators will also still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.
Users and administrators should also check for indicators of unauthorised access over the past 30 days on all their MOVEit Transfer instances (including back-ups). These include the following:
Any instances of human2[.]aspx and [.]cmdline script files
Creation of new/unexpected files in the c:\MOVEit Transfer\wwwroot\ directory
Creation of new/unexpected files in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
Unexpected and/or large file downloads from unknown IPs
Users and administrators using affected products are also advised to scan their systems for the following host and network indicators of compromise (IOCs):
Indicators of compromise
Indicator | Type |
|---|---|
C:\Windows\TEMP\[random]\[random][.]cmdline | Folder Path |
human2[.]aspx | Filename |
human2[.]aspx[.]lnk | Filename |
POST /moveitisapi/moveitisapi[.]dll | HTTP POST |
POST /guestaccess[.]aspx | HTTP POST |
POST /api/v1/folders/[random]/files | HTTP POST |
Health Check Service | User Account |
5[.]252[.]189[.]0/24 | CIDR |
5[.]252[.]190[.]0/24 | CIDR |
5[.]252[.]191[.]0/24 | CIDR |
198[.]27[.]75[.]110 | IPv4 |
209[.]222[.]103[.]170 | IPv4 |
84[.]234[.]96[.]104 | IPv4 |
138[.]197[.]152[.]201 | IPv4 |
209[.]97[.]137[.]33 | IPv4 |
148[.]113[.]152[.]144 | IPv4 |
89[.]39[.]105[.]108 | IPv4 |
5[.]252[.]23[.]116 | IPv4 |
5[.]252[.]25[.]88 | IPv4 |
198[.]12[.]76[.]214 | IPv4 |
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36 | User Agent |
dojustit[.]mooo[.]com | Domain |
C:\Windows\Microsoft[.]NET\Framework64\v4.0.30319\Temporary ASP[.]NET Files\root\[random]\[random\App_Web_[random][.]dll | Filename |
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | SHA256 Hash |
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | SHA256 Hash |
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | SHA256 Hash |
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | SHA256 Hash |
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | SHA256 Hash |
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | SHA256 Hash |
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | SHA256 Hash |
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | SHA256 Hash |
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | SHA256 Hash |
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | SHA256 Hash |
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | SHA256 Hash |
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | SHA256 Hash |
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | SHA256 Hash |
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | SHA256 Hash |
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | SHA256 Hash |
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | SHA256 Hash |
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | SHA256 Hash |
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | SHA256 Hash |
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | SHA256 Hash |
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | SHA256 Hash |
GET /human2[.]aspx | HTTP Request |
If there are any indicators observed or if additional support is required, users and administrators are advised to contact Progress Technical Support by opening a case via https://community.progress.com/s/supportlink-landing.
Users and administrators are also advised to report any incidents involving the exploitation of the MOVEit Transfer vulnerability (or any other cybersecurity incidents) to SingCERT at https://go.gov.sg/singcert-incident-reporting-form.
More information is available here:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/