Critical Vulnerability CVE-2023-34362 in MOVEit Transfer Widely Used by Hackers to Steal Data
Overview of MOVEit Transfer
MOVEit Transfer is a file transfer solution developed by Ipswitch, a subsidiary of the American Progress Software Corporation. The product allows companies to securely exchange files with partners and customers using SFTP, SCP and HTTP. MOVEit Transfer is offered as a customer-managed on-premises solution and a developer-managed SaaS cloud platform.
Critical Vulnerability CVE-2023-34362
At the end of last week, Progress Software developers warned about the discovery of a critical vulnerability in MOVEit Transfer. According to them, exploitation of this vulnerability could lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Vulnerabilities affect all versions of MOVEit Transfer.
As a workaround, all clients are advised to block external traffic on ports 80 and 443 on the MOVEit Transfer server as soon as possible. At the same time, the developers warned that blocking these ports would prohibit external access to the web interface, interfere with some aspects of automation, block the API, and prevent the Outlook MOVEit Transfer plugin from working.
You can use the C:\MOVEit Transfer\wwwroot\ folder as an indicator of compromise, which is worth checking for strange files, including backups or large downloads. This may indicate that the attackers have already stolen the data, or the theft is still taking place. Additionally, MOVEit Transfer admins have reported on Reddit that after being hacked, they find App_Web_
It is noted that the SFTP and FTP/s protocols can still be used to transfer files.
Rapid7’s Analysis of the Vulnerability
According to information security specialists from Rapid7, the vulnerability in MOVEit Transfer is a SQL injection that leads to a remote execution coding and received the identifier CVE-2023-34362. Experts write that more than 2500 MOVEit Transfer servers are available on the network, most of which are located in the USA.
Massive attacks on 0-day began on May 27 (and the first scans of the login pages were revealed by GreyNoise analysts on March 3), and now the same web shell human2.asp was found on all hacked servers, located in the public HTML folder c:\MOVEit Transfer\wwwroot\.
It appears to be capable of executing various commands, including:
• getting a list of saved files, the name of the user who uploaded the files, and the paths to the files;
• implement and remove a new MOVEit Transfer user with a random name and Health Check Service login, creating new MySQL sessions;
• Get information about an Azure Blob Storage account, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings;
• download files from the server.
According to Huntress, the following IP addresses are associated with the attacks:
• 138.197.152[.]201
• 209.97.137[.]33
• 5.252.191[.]0/24
• 148.113.1
Organizations at Risk of Data Theft Due to Critical Vulnerability in MOVEit Transfer
Organizations around the world are at risk of data theft due to a critical vulnerability in the file transfer management product MOVEit Transfer, developed by Progress Software. The vulnerability, identified as CVE-2023-34362, is a SQL injection that leads to a remote execution coding.
At the end of last week, Progress Software developers warned about the discovery of the critical vulnerability in MOVEit Transfer. According to them, exploitation of this vulnerability could lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Vulnerabilities affect all versions of MOVEit Transfer.
As a workaround, all clients are advised to block external traffic on ports 80 and 443 on the MOVEit Transfer server as soon as possible. At the same time, the developers warned that blocking these ports would prohibit external access to the web interface, interfere with some aspects of automation, block the API, and prevent the Outlook MOVEit Transfer plugin from working.
Indicators of Compromise
You can use the C:\MOVEit Transfer\wwwroot\ folder as an indicator of compromise, which is worth checking for strange files, including backups or large downloads. This may indicate that the attackers have already stolen the data, or the theft is still taking place. Additionally, MOVEit Transfer admins have reported on Reddit that after being hacked, they find App_Web_
IP Addresses Associated with the Attacks
According to Huntress, the following IP addresses are associated with the attacks:
• 138.197.152[.]201
• 209.97.137[.]33
• 5.252.191[.]0/24
• 148.113.1
Conclusion
Organizations around the world are at risk of data theft due to a critical vulnerability in the file transfer management product MOVEit Transfer, developed by Progress Software. The vulnerability, identified as CVE-2023-34362, is a SQL injection that leads to a remote execution coding. As a workaround, all clients are advised to block external traffic on ports 80 and 443 on the MOVEit Transfer server as soon as possible. Additionally, organizations should check the C:\MOVEit Transfer\wwwroot\ folder for strange files, including backups or large downloads, as well as monitor the IP addresses associated with the attacks.