This article is more than 1 year old

Deployed publicly accessible MOVEit Transfer? Oh no. Mass exploitation underway

Time to MOVEit, MOVEit. We don't like to MOVEit, MOVEit

Security researchers and the US government have sounded the alarm on a flaw in Progress Software's MOVEit Transfer that criminals have been "mass exploiting" for at least a month to break into IT environments and steal data.

Progress disclosed some info about the SQL-injection vulnerability in its multi-tool file-transfer product on Wednesday, and warned that exploitation "could lead to escalated privileges and potential unauthorized access to the environment." 

The software maker has just released patches for the security hole. There's now MOVEit Transfer 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, and 2021.0.6 available to fix the insecure code.

Earlier the biz urged customers to take "immediate action" (in other words: move it!) to protect their environments, including disabling all HTTP and HTTPS traffic to deployments of MOVEit Transfer.

The vulnerability has not yet been assigned a CVE.

For those who don't know, the software provides a way for people to share files supposedly securely between each other. Typically, you would deploy a server component that client apps and web browsers can connect to and use to upload and download documents. As such it's used throughout the worlds of healthcare, government, and finance so that coworkers can transfer files between each other.

By Thursday, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) and private security firms started weighing in on the under-attack flaw.

While Progress advised MOVEit customers to check for indicators of unauthorized access over "at least the past 30 days," other threat hunters noted suspicious activity going back even further. 

GreyNoise said it observed netizens, possibly with nefarious motives, scanning the public internet for MOVEit Transfer deployments to exploit as early as March 3.

"While we have not observed activity directly related to exploitation, all of the 5 IPs we have observed attempting to discover the location of MOVEit installations were marked as 'Malicious' by GreyNoise for prior activities," the IP scanning biz said

GreyNoise noted that the primary artifact is the presence of a webshell named human2[dot]aspx, which allows attackers to execute arbitrary commands on the compromised equipment, and it recommends that MOVEit customers extend the time window to check for potentially malicious activity to at least 90 days.

Rapid7 also reported that all of the successful exploits that its threat intel team spotted involved this same file, human2[dot]aspx, in the wwwroot folder of the MOVEit install directory. 

Analyzing the webshell revealed the following, according to the security firm:

The webshell code would first determine if the inbound request contained a header named X-siLock-Comment, and would return a 404 "Not Found" error if the header was not populated with a specific password-like value.

As of Wednesday, Rapid7 spotted about 2,500 instances of MOVEit Transfer exposed to the public internet, most of which belong to US customers.

"We strongly recommend that MOVEit Transfer customers prioritize mitigation on an emergency basis," the security team said.

Progress Software claims its customer base spans "thousands of enterprises, including 1,700 software companies and 3.5 million developers." It did not immediately respond to The Register's inquiries into how many customers are likely affected by the flaw, and how many have been compromised.

Any organization using MOVEit should forensically examine the system

Google Cloud's Mandiant is also investigating "several" intrusions related to the MOVEit zero-day, according to Mandiant Consulting CTO Charles Carmakal.

"Mass exploitation and broad data theft has occurred over the past few days," he told The Register. "In addition to patching their systems, any organization using MOVEit should forensically examine the system to determine if it was already compromised and if data was stolen."

And while his firm doesn't know the attacker's motivation, "organizations should prepare for potential extortion and publication of the stolen data," Carmakal added. "Mass exploitation of zero-day vulnerabilities with other managed file transfer solutions have resulted in data theft, extortion, publication of stolen data, and victim shaming."

So that should make for an enjoyable week and month all around. ®

More about


Send us news

Other stories you might like