Hackers Target MOVEit Transfer’s Zero-Day Vulnerability, Emergency Patch Deployed

Cybersecurity experts are raising a flag about a potential zero-day exploit vulnerability of a popular file transfer tool which could result in a huge security disaster as thousands of organizations actively use it. MOVEit Transfer managed file transfer (MFT) is a popular file transfer tool used by thousands of organizations across the world. It allows users to share large files and datasets over the internet safely and effortlessly.

Details on The Threat

Researchers found a glitch or backdoor, a vulnerability to this famous corporate file transfer tool that could hand over potential unauthorized access and/or escalated privileges to any intruder. And the threat is actually confirmed by Progress Softwares, the parent company owning Ipswitch, developer of MOVEit Transfer.

This exploit is possible due to a SQL injection vulnerability present in the MOVEit Transfer web application. Using the weakness an intruder could get information regarding the structure and contents of the database any of the widely used database engines including MySQL, Microsoft SQL Server, or Azure SQL is used. To some extent, the vulnerability even allows a hacker to execute SQL statements that can alter or delete database elements.

A Real Threat Or Just Another Hoax?

Below quotation is directly from the mother company that owns the affected software – 

“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch”

If this statement alone is not enough, let’s see what other experts are saying about this. 

America’s Cyber Defence Agency CISA has advised all users and organizations to review their current status of MOVEit Transfer Advisory and follow all the mitigation and security checks advised by the developer company.

In addition, this vulnerability also reaches out to the cloud platform users of MOVEit Transfer. Apart from the large user base in the healthcare industry and several big financial institutions, there is at least one incident where the U.S. Department of Homeland Security is somehow connected, suggested security researcher Kevin Beaumont. 

Is There Any Remedy?

The nature of zero-day vulnerability is that they are not preventable. However, security experts are continuously working to mitigate any potential disaster. There are also emergency mitigation steps recommended by the vendor itself, progress software, and almost everyone is suggesting to follow the process for the best available safety to the vulnerability. Let’s take a look at it. 

Suggested Mitigation Steps

Progress Software suggests implying below steps ASAP to prevent any further exploitation

Disabling all HTTP and HTTPs traffic

Modify the firewall rules to deny HTTP and HTTPs traffic until the patch is applied

Review, Delete and Reset

Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. Look for any unauthorized files or user accounts, specifically delete any instances of the human2.aspx and .cmdline script files. Reset service account credentials for affected systems

Patch Applying 

Patches for various MOVEit Transfer versions are made available by the vendor, in this step apply the patch. If the version is outdated, immediately update the software version.

Enabling HTTP and HTTPs traffic

In this step, re-enable the inbound traffic

Further Verification

To successfully verify that no unauthorized accounts are there, follow the Review, Delete and Reset step again. If no further issue is found, continue to the next step, if found, reset the service account residential again.

Always Keep Monitoring

It’s always a best practice to keep monitoring the whole scenario. Further details about the mitigation steps could be found here.

For the user’s safety. It’s always recommended to  follow the mitigation steps, apply the necessary patches & updates, and always stay wary for any suspicious activity.