MOVEit Vulnerability: What Happened?

On May 31, 2023, a critical vulnerability was discovered in the secure file transfer service MOVEit Transfer. Active exploitation of this vulnerability has been observed in the wild, which could lead to escalated privileges and potential unauthorized access to an environment. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements. ReliaQuest has observed exploitation of this vulnerability since at least May 27, 2023.

MOVEit Transfer was developed by Ipswitch, a subsidiary of the US-based Progress Software Corporation, which has released information about the vulnerability. This vulnerability has been assigned the common vulnerabilities and exposures (CVE) number CVE-2023-34362. MOVEit enables organizations to securely transfer files between parties using SFTP, SCP, and HTTPbased uploads.

Affected versions:

  • MOVEit Transfer 2023.0.0 
  • MOVEit Transfer 2022.1.x 
  • MOVEit Transfer 2022.0.x 
  • MOVEit Transfer 2021.1.x 
  • MOVEit Transfer 2021.0.x

Based on information available at this time, we believe the following products are not susceptible to this SQL Injection Vulnerability: MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. At this time, no action is necessary for the above-mentioned products.  

Why You Should Care

MOVEit Transfer is a popular file-transfer tool among many of organizations. This vulnerability allows attackers to access and take over affected systems. Reports have shown that the vulnerability is already being actively exploited in the wild to exfiltrate data from organizations. Mass exploitation will likely continue over the next few days. 

What We Don’t Know

Currently, no intelligence has surfaced attributing this attack to a specific group. However, the successful exploitation across many organizations in a short period of time does have severe implications, as seen previously in 3CX Desktop Client and GoAnywhere MFT earlier this year.

The ReliaQuest Threat Research team will continue to closely monitor this situation to uncover additional information as it surfaces.

What You Should Do

Before applying patches or performing other mitigating steps, organizations should backup all systems to ensure no data loss. Patches and complete mitigation steps have been released from Progress Software Corporation and can be found here.

Immediate mitigation steps include the following:

  • Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
    • Without access to these ports users will not be able to log into the web interface.
    • MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
    • REST, Java, .NET application programming interfaces (APIs) will not work.
    • MOVEit Transfer add-in for Outlook will not work.
  • Review, delete, and reset.
    • Delete unauthorized files and user accounts.
    • Reset credentials.
  • Apply the patch.
    • Patches for all supported MOVEit Transfer versions are available at the link above.

To view complete mitigation steps and available patches see the Progress Software Corporation Blog.

What ReliaQuest Is Doing for Customers

  • Our ReliaQuest Threat Research team is monitoring the situation closely and has released an initial threat advisory for customers. This advisory will be updated as information about this activity arises.
  • At the time of writing, our intelligence feeds are being continually updated with unique indicators of compromise as they are identified.
  • The ReliaQuest Threat Hunting team has deployed hunt packages on our clients’ networks that we have determined are using MOVEit. Any other ReliaQuest customers that have MOVEit in their environment should get in touch with ReliaQuest to establish how we can help.
  • We have also begun researching unique telemetry to deploy content across the ReliaQuest customer base to detect and remediate signs of MOVEit exploitation.
  • We have detection rules in place to look for exploitation of this vulnerability.