New MOVEit Transfer zero-day mass-exploited in data theft attacks

Amol Rangari
5 min readJun 6, 2023

Hackers are actively exploiting a zero-day vulnerability in the MOVEit Transfer file transfer software, tracked as CVE-2023–34362, to steal data from organizations.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch, a subsidiary of US-based Progress Software Corporation, that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.

Progress MOVEit Transfer is offered as an on-premise solution managed by the customer and a cloud SaaS platform managed by the developer.

Zero-day mass-exploited to steal data

BleepingComputer has learned that threat actors have been exploiting a zero-day in the MOVEit MFT software to perform mass downloading of data from organizations.

It is unclear when the exploitation occurred and which threat actors are behind the attacks, but BleepingComputer has been told that numerous organizations have been breached and data stolen.

Yesterday, Progress released a security advisory warning customers of a “Critical” vulnerability in MOVEit MFT, offering mitigations until patches are installed.

“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment,” reads a security advisory from Progress.

“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch.”

To prevent exploitation, the developers warn admins to block external traffic to ports 80 and 443 on the MOVEit Transfer server.

Progress warns that blocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit Transfer plugin from working.

However, SFTP and FTP/s protocols can continue to be used to transfer files.

The developers also warn admins to check the ‘c:\MOVEit Transfer\wwwroot\’ folder for unexpected files, including backups or large file downloads.

Based on the information learned by BleepingComputer, large downloads or unexpected backups are likely indicators that the threat actors have stolen data or are in the process of doing so.

No information about the zero-day vulnerability has been released. However, based on the ports blocked and the specified location to check for unusual files, the flaw is likely a web-facing vulnerability.

Until a patch is released for your version, it is strongly advised that organizations shut down any MOVEit Transfers and perform a thorough investigation for compromise before applying the patch and bringing the server live again.

Below is the current list of MOVEit Transfer versions that have a patch available:

Affected VersionFixed VersionDocumentationMOVEit Transfer 2023.0.0MOVEit Transfer 2023.0.1MOVEit 2023 Upgrade DocumentationMOVEit Transfer 2022.1.xMOVEit Transfer 2022.1.5MOVEit 2022 Upgrade DocumentationMOVEit Transfer 2022.0.xMOVEit Transfer 2022.0.4MOVEit Transfer 2021.1.xMOVEit Transfer 2021.1.4MOVEit 2021 Upgrade DocumentationMOVEit Transfer 2021.0.xMOVEit Transfer 2021.0.6

Attack details

Cybersecurity firm Rapid7 says that the MOVEit Transfer flaw is a SQL injection vulnerability that leads to remote code execution and does not currently have a CVE assigned to it.

Rapid7 says there are 2,500 exposed MOVEit Transfer servers, with the majority located in the US, and that the same webshell was found on all exploited devices.

This webshell is named ‘human2.asp’ [VirusTotal] and is located in the c:\MOVEit Transfer\wwwroot\ public HTML folder.

“The webshell code would first determine if the inbound request contained a header named X-siLock-Comment, and would return a 404 “Not Found” error if the header was not populated with a specific password-like value,’ explains Rapid7.

From analysis by BleepingComputer, when the webshell is accessed and the correct password supplied, the script will execute various commands based on the value of the ‘X-siLock-Step1', 'X-siLock-Step1', and 'X-siLock-Step3' request headers.

These commands allow the threat actor to download various information from MOVEit Transfer’s MySQL server and perform various actions, including:

  • Retrieve a list of stored files, the user name who uploaded the files, and their file paths.
  • Insert and delete a new random named MOVEit Transfer user with the login name ‘Health Check Service’ and create new MySQL sessions.
  • Retrieve information about the configured Azure Blob Storage account, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings, as described in this Progress help article.
  • The threat actors can use this information to steal data directly from victim’s Azure Blob Storage containers.
  • Download files from the server.

MOVEit Transfer admins have also reported on Reddit that they are also finding multiple random named App_Web_<random>.dll files, such as App_Web_feevjhtu.dll, after being breached when there should only be one.

Huntress also reports that the following IP addresses have been associated with the attacks:

138.197.152[.]201
209.97.137[.]33
5.252.191[.]0/24
148.113.152[.]144 (reported by the community)
89.39.105.108

BleepingComputer was told that the attacks started over the long US Memorial Day holiday when fewer staff were monitoring systems.

This was also confirmed by Mandiant CTO Charles Carmakal, who told BleepingComputer that their data shows that the attacks started on May 27th.

“Mandiant is currently investigating several intrusions related to the exploitation of the MOVEit managed file transfer zero-day vulnerability. Mass exploitation and broad data theft has occurred over the past few days,” Carmakal told BleepingComputer.

“In addition to patching their systems, any organization using MOVEit Transfer should forensically examine the system to determine if it was already compromised and if data was stolen. Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data.”

Cybersecurity researcher Kevin Beaumont says he was reliably told that the MOVEit Transfer SaaS platform was also impacted by the vulnerability, making the potential victim base much larger.

Progress Software confirmed the MOVEit Cloud platform was impacted in a statement shared with BleepingComputer after publication.

“When we identified the issue, we took immediate action, including bringing down MOVEit Cloud, to ensure the safety of our customers, while we reviewed the severity of the situation,” Progress Software told BleepingComputer.

“We also notified our customers, first providing instructions for immediate actions, followed by the release of a patch. You can review the mitigation steps for on-prem here and cloud here.”

Extortion has not begun

While Progress has not stated that the vulnerability is being actively exploited, BleepingComputer is aware of numerous organizations that have had data stolen using the zero-day.

At this time, the threat actors have not begun extorting victims, so it is unclear who is behind the attacks.

However, the exploitation is very similar to the January 2023 mass exploitation of a GoAnywhere MFT zero-day and the December 2020 zero-day exploitation of Accellion FTA servers.

Both of these products are managed file transfer platforms that were heavily exploited by the Clop ransomware gang to steal data and extort organizations.

Update 6/1/23: Added technical information, information on patches, and statement from Progress.
Update 6/2/23: Added assigned CVE.

--

--

Amol Rangari

I am Cyber Security Expert, Security Researcher and bug hunter