Mass Exploitation of MOVEit Transfer Zero-day Vulnerability Confirmed
A zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution is being actively exploited by hackers to perform mass downloads of sensitive data from targeted organizations. MOVEit Transfer was developed by the Progress Software Corporation-owned company, Ipswitch, and is provided as an on-premise solution or cloud SaaS platform that is used by enterprises for securely transferring large files.
According to a recent security advisory from Progress, the flaw is an SQL injection vulnerability that affects the MOVEit Transfer web application. If exploited, a remote, unauthenticated attacker can gain access to the MOVEit Transfer database, infer information about the structure and contents of the database, exfiltrate data, and execute SQL statements that alter or delete database elements. Progress has confirmed that the vulnerability affects all MOVEit Transfer versions, including on-prem and MOVEit Cloud. There were many confirmed instances of mass data exfiltration over the Memorial Day weekend when monitoring was reduced, although it appears that the vulnerability was exploited weeks before in many of the cases that have been investigated. At present, it is unclear which threat group is exploiting the flaw as while there has been confirmed data theft, there has been no attempted extortion.
Progress has released a patch to fix the vulnerability in all supported versions, which are available here. Users have been recommended to immediately disable all HTTP and HTTPs traffic to the MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. Simply blocking HTTP and HTTPs traffic will not prevent data exfiltration, which can still occur through SFTP and FTP protocols. After disabling traffic, a review should be conducted to identify any unauthorized files and user accounts, which should be deleted, then credentials should be reset. The patch can then be applied and HTTP and HTTPs traffic can be enabled after confirming that all unauthorized files and accounts have been successfully deleted.
According to Rapid7, there are approximately 2,500 instances of MOVEit that are exposed to the public Internet, the majority of which are located in the United States. All cases of exploitation have seen the same webshell (LEMURLOOT) which masquerades as human2.asp and is added to the c:\MOVEit Transfer\wwwroot\ public HTML folder. According to Mandiant, the LEMURLOOT webshell can also allow the theft of Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings and suggests threat actors may be stealing files from Azure when victims store appliance data in Azure Blob storage. After patching, organizations should conduct a forensic analysis to look for Indicators of Compromise over the past 30 days to determine if the flaw has already been exploited and data exfiltrated.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
FIN11/Clop were initially suspected of involvement in the attack as they were behind the exploitation of zero-day vulnerabilities in two other MFT solutions, Fortra’s GoAnywhere MFT in January 2023 and the Accellion FTA in December 2020. Mandiant has attributed the exploitation to a threat cluster it is tracking as UNC4857, which it says is a newly created threat cluster that has impacted organizations across a wide range of industries based in Canada, India, and the U.S. Mandiant has also obtained evidence to suggest that more extensive exploitation is taking place globally. While there are similarities between the attack by FIN11 and UNC4857, Mandiant has yet to determine any relationship between the two groups. Mandiant says the motivations of UNC4857 are currently unclear but the nature of the attacks is consistent with extortion attempts, and Mandiant believes that extortion emails may be received at victim organizations in the coming weeks. “We are already identifying active intrusions at several clients and expect many more in this short term. Everyone needs to move fast to patch. Any organization that had a web-exposed MOVEit instance needs to perform forensics to determine if it was compromised and assess the impact. In cases where they suspect exploitation, prepare for the possible public release of their data,” said John Hultquist, Chief Analyst, Mandiant Intelligence – Google Cloud in a statement to The HIPAA Journal.
On June 2, 2023, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert warning that the health and public health sector is potentially at risk. The alert can be viewed here (PDF). On June 4, 2023, Microsoft announced that it attributed the attacks to a Clop ransomware affiliate it tracks as Lace Tempest, and on June 5, 2023, Bleeping Computer said a member of the Clop ransomware gang confirmed they were behind the attack and said ransom demands have been issued and the stolen data will be published on its data leak site if the victims refuse to pay, but did not confirm the number of victims.
