Progress Software MOVEit Zero-Day Vulnerability

High Level Summary of the Security Advisory

MOVEit is a managed file transfer (MFT) solution provided by Progress Software. Progress is a global software company that simplifies the development, deployment and management of business applications. MOVEit is a solution that encrypts files and uses secure file transfer protocols to transfer data with automation, analytics and failover options.

On May 31, 2023 Progress Software Corporation (“Progress Software”), issued an advisory regarding a vulnerability in its managed file transfer (MFT) solution, MOVEit Transfer, and MOVEit Cloud. The vulnerability resulted in an HTTPS Outage that occurred on May 30 and 31st, 2023.

On June 1, 2023 Progress released an update on the May 2023 security vulnerability and defensive outage of MOVEit Cloud. On May 30, 2023, MOVEit's technical support team received customer reports of suspicious activity. Investigation into these reports resulted in the discovery of a SQL injection vulnerability (CVE-2023-34362) in the MOVEit Transfer web application, that allowed remote attackers to gain unauthorized access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may have been able to infer information about the structure and contents of the database, as well as execute SQL statements to modify or delete important elements. This vulnerability affected all MOVEit Transfer (both cloud and on-premise versions), including older unsupported versions.

In response, Progress Software temporarily disabled HTTP and HTTPs traffic to MOVEit Cloud and notified MOVEit Transfer customers to do the same in their own environments.

On May 31, 2023, Progress Software released a patch for all supported versions of MOVEit Transfer and provided  guidance for MOVEit Cloud users. 

Detailed information about the security fix and vulnerability can be found in their community page article.

On June 2, Progress Software updated their MOVEit Transfer Critical Vulnerability Knowledge Base documentation with IoCs (Indicators of Compromise) and additional mitigation steps for MOVEit Transfer customers. The SQL vulnerability has been assigned a CVE ID, CVE-2023-34362, although it is still pending a CVSS rating. Further information regarding the vulnerability can be found here.

As of June 5, Microsoft is attributing the MOVEit Transfer zero-day attacks to Lace Tempest, a threat actor previously linked to Cl0p ransomware, data theft, and extortion attacks.  

Should I be concerned? 

Maybe. It depends on if you have a relationship with Progress Software. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. You may also want to search your Relationship List for "Progress” or "MOVEit" to confirm.

What to do if you have an active relationship with Progress Software

On June 5, 2023, Progress provided an update on the mitigation steps. They stated that MOVEit Cloud has been patched and no evidence that the exploit was activated or used by malicious parties to exfiltrate data from MOVEit Cloud services is found. That being said, Progress recommends MOVEit Transfer and MOVEit Cloud customers to take the necessary steps to conduct investigations for unauthorized access and other unusual download activity within their environments.

To address the vulnerability and mitigate risks, the following steps are recommended by MOVEit (as part of their status update):

1. Disable HTTP and HTTPS traffic:
   1. Modify firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied. 
2.  Review, Delete, and Reset:
   1. Delete Unauthorized Files and User Accounts:
      1. Delete any instances of the human2.aspx and .cmdline script files.
      2. Check the following directories for new files:
         1. C:\MOVEitTransfer\wwwroot\
         2. C:\Windows\TEMP[random]\
         3. C:\Windows\TEMP[random]\ (files with a file extension of [.]cmdline)
      3. Remove any unauthorized user accounts. See Progress MOVEit Users Documentation article
      4. Review logs for unexpected downloads of files from unknown IPs or a significant number of file downloads. Refer to MOVEit Transfer Logs guide  for detailed information on reviewing logs.
      5. Examine the IIS logs for events that include GET /human2.aspx. A large number of log entries or entries with substantial data sizes may indicate unexpected file downloads.
      6. If applicable, review Azure logs to identify any unauthorized access to Azure Blob Storage Keys. Consider rotating any potentially affected keys to ensure the security of the environment.
   2. Reset credentials:
      1. Reset service account credentials for affected systems and MOVEit Service Account. See KB 000115941.
3. Apply the Patch:
   

   Affected Version	Fixed Version	Documentation
   MOVEit Transfer 2023.0.0 (15.0)	MOVEit Transfer 2023.0.1	MOVEit 2023 Upgrade Documentation
   MOVEit Transfer 2022.1.x (14.1)	MOVEit Transfer 2022.1.5	MOVEit 2022 Upgrade Documentation
   MOVEit Transfer 2022.0.x (14.0)	MOVEit Transfer 2022.0.4	MOVEit 2022 Upgrade Documentation
   MOVEit Transfer 2021.1.x (13.1)	MOVEit Transfer 2021.1.4	MOVEit 2021 Upgrade Documentation
   MOVEit Transfer 2021.0.x (13.0)	MOVEit Transfer 2021.0.6	MOVEit 2021 Upgrade Documentation
   MOVEit Transfer 2020.1.x (12.1)	Special Patch Available	See KB 000234559
   MOVEit Transfer 2020.0.x (12.0) or older	MUST upgrade to a supported version	See MOVEit Transfer Upgrade and Migration Guide
   MOVEit Cloud	MOVEit Transfer 14.1.4.94 MOVEit Transfer 14.0.3.42	All MOVEit Cloud systems are fully patched at this time. Cloud Status Page

   
   Patches for all supported MOVEit Transfer versions are available here.
4. Verification:
   1. To confirm the files have been successfully deleted and no unauthorized accounts remain, follow steps 2a again. If IoCs (Indicators of Compromise) are found, reset the service account credentials again.
5. Enable all HTTP and HTTPs traffic to MOVEit Transfer environment.
6. Continuous Monitoring
   1. Monitor network, endpoints, and logs for IoCs (Indicators of Compromise): See file attachment cve-2023-34362-iocs.xlsx located in this article for IoCs (Indicators of Compromise). Progress Software has recommended that if any of the indicators are noticed, contact security and IT teams and open a ticket with Progress Technical Support at: https://community.progress.com/s/supportlink-landing. 

In addition, MOVEit requests following the below best practices:

• Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
• Review and remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
• Update remote access policies to only allow inbound connections from known and trusted IP addresses. For more information on restricting remote access, please refer to SysAdmin Remote Access Rules and Security Policies Remote Access guide.
• Allow inbound access only from trusted entities (e.g., using certificate-based access control).
• Enable multi-factor authentication. To enable MFA, please refer to the MOVEit Transfer Multi-factor Authentication Documentation.

---------------------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com.

For any additional questions, please reach out to your customer success manager.

The VISO Trust team