Hackers Exploit Progress MOVEit File Transfer VulnerabilityCritical Zero-Day Vulnerability Permits Escalated Privileges, Unauthorized Access
Threat actors are exploiting a critical zero-day vulnerability in Progress Software's managed file transfer offering in several customer environments, according to security researchers.
See Also: 2022 Unit 42 Incident Response Report
The Boston-area application development and infrastructure software provider on Wednesday warned of a critical SQL injection vulnerability in MOVEit Transfer that allows for "escalated privileges and potential unauthorized access" on target systems. A day later, researchers at Mandiant, Rapid7 and elsewhere reported seeing mass exploitation and broad data theft associated with the vulnerability.
Based on TrustedSec's analysis of the backdoor, a successful attack could allow unauthenticated remote access to any folder or file within a MOVEit system, said Incident Response Practice Lead Tyler Hudak. Progress Software didn't immediately respond to Information Security Media Group's request for comment.
"Any organization using MOVEit should forensically examine the system to determine if it was already compromised and if data was stolen," Mandiant Consulting Chief Technology Officer Charles Carmakal said in an emailed statement. "Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data."
When Exploitation Began
Roughly 2,500 instances of MOVEit Transfer were exposed to the public internet as of Wednesday. The majority of the instances appeared to be in the United States, said Rapid7 Senior Manager of Security Research Caitlin Condon. Similarly, security researcher Kevin Beaumont wrote on Mastodon that MOVEit Transfer has a huge footprint in the U.S., including the Department of Homeland Security and some big banks.
Progress Software directed MOVEit Transfer customers to check for indicators of unauthorized access "over at least the past 30 days," which Condon said indicates that attacker activity was detected before the vulnerability was disclosed. Beaumont said web shells started being planted a few weeks ago at firms that have detected activity, and multiple instances were running at multiple organizations during that time.
TrustedSec found the backdoors have been uploaded to public sites since Sunday, meaning the attackers likely took advantage of the Memorial Day holiday weekend to gain access to systems. Hudak said there have also been reports of data exfiltration from affected victims. The backdoor upload during the attack allows hackers to download any file within MOVEit and get an active session to allow credential bypass.
Beaumont also reported that the security incident affected Progress Software's SaaS cloud offering of the same product. Rapid7's managed services teams so far have observed the same web shell name in multiple customer environments, which Condon said might indicate automated exploitation. SQL-to-RCE flaws can provide threat actors with initial access to corporate networks.
How the Exploit Works
The web shell code first determines if the inbound request contains a specific header and returns a 404 "Not Found" error if the header lacks a specific password-like value, according to Condon. As of today, Condon said, all instances of Rapid7-observed MOVEit exploitation involve the presence of the
human2.aspx file in a specific folder of the MOVEit install directory.
Progress Software has made patches available for all supported versions of MOVEit Transfer. TrustedSec said the mitigations offered by Progress deny all HTTP and HTTPS traffic to the MOVEit environment. Although this blocks all access to the system, Hudak said SFTP and FTP protocols will still work. There aren't any signs these protocols have been compromised or can be used to leverage file transfer.
In addition to patching their systems, Beaumont said businesses who run MOVEit Transfer should remove network connectivity, check for newly created or altered
.asp* files and retain a copy of all IIS logs and network data volume logs. There is currently no CVE or CVS score associated with this vulnerability.
The exploit of MOVEit Transfer comes months after hackers turned a zero-day in Fortra's GoAnywhere file transfer software into a bonanza of ransomware attacks for Russian-speaking extortion group Clop. More than 100 organizations had experienced the effects of the bug as of April, and Clop took responsibility for more than 50 now-patched GoAnywhere zero-day attacks, Fortra and Palo Alto Networks Unit 42 found (see: Fortra Hacker Installed Tools on Victim Machines).
"Mass exploitation of zero-day vulnerabilities with other managed file transfer solutions have resulted in data theft, extortion, publication of stolen data, and victim sharing," Carmakal said.