Zero-day security vulnerability in MOVEit transfer
by Tina Siering
Attention: All versions of MOVEit Transfer affected by vulnerability
Attackers are currently actively exploiting a security vulnerability of Ipswitch (a subsidiary of the US Progress Software Corporation) and gaining access to data when companies exchange documents with MOVEit, the Managed File Transfer (MFT) solution.
Depending on the database engine used (MySQL, Microsoft SQL Server or Azure SQL), an attacker may be able to gain knowledge of the structure and content of the database, execute SQL statements and modify or delete database elements.
It is still unclear when the vulnerability was exploited and which threat actors are behind the attacks, but numerous organisations have reportedly already been attacked and data stolen.
Urgent recommendations for action on the part of the manufacturer:
1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment
Specifically, change firewall rules to block HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until it can be patched. However, this deactivation has the following limitations:
- Users cannot log in to the MOVEit Transfer web user interface.
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
- REST-, Java- and .NET-APIs do not work.
- The MOVEit Transfer add-in for Outlook will not work
The SFTP and FTP/s protocols work as usual. Administrators can still access MOVEit Transfer by using a remote desktop to access the Windows machine and then access https://localhost/.
2. Deleting unauthorised files and user accounts
- Delete all instances of the human2.aspx and .cmdline script files.
- On the MOVEit Transfer server, search for any new files created in the C:\MOVEitTransfer\wwroot\ directory.
- On the MOVEit Transfer server, search for any new files created in the C:\Windows\TEMP\[random]\ directory with the [.]cmdline file extension.
- Remove all unauthorised user accounts.
- Check the logs for unexpected downloads of files from unknown IPs or a large number of downloaded files.
3. Reset credentials
• Reset the service account credentials for the affected systems and the MOVEit admin account.
4. Apply Patches
The following are patches for all supported MOVEit Transfer versions:
|Affected Version||Fixed Version||Documentation|
|MOVEit Transfer 2023.0.0 (15.0)||MOVEit Transfer 2023.0.1||MOVEit 2023 Upgrade Documentation|
|MOVEit Transfer 2022.1.x (14.1)||MOVEit Transfer 2022.1.5||MOVEit 2022 Upgrade Documentation|
|MOVEit Transfer 2022.0.x (14.0)||MOVEit Transfer 2022.0.4||MOVEit 2022 Upgrade Documentation|
|MOVEit Transfer 2021.1.x (13.1)||MOVEit Transfer 2021.1.4||MOVEit 2021 Upgrade Documentation|
|MOVEit Transfer 2021.0.x (13.0)||MOVEit Transfer 2021.0.6||MOVEit 2021 Upgrade Documentation|
|MOVEit Transfer 2020.1.x (12.1)||Special Patch Available||See KB 000234559|
|MOVEit Transfer 2020.0.x (12.0) or older||MUST upgrade to a supported version||See MOVEit Transfer Upgrade and Migration Guide|
|MOVEit Cloud||MOVEit Transfer 126.96.36.199
MOVEit Transfer 188.8.131.52
|All MOVEit Cloud systems are fully patched at this time.
Cloud Status Page
5. After successful security update(s): Enable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
According to security researchers, the cloud version is said to be vulnerable. Again, immediate action has been taken to protect cloud platform customers.
Further information and documentation can be found here.
If you use MOVEit's Transfer solution, follow the advice above, remain vigilant and ensure the necessary awareness and targeted monitoring of your environment. Test your detection strategies and response processes.