15 June 2023 - Critical vulnerability in MOVEit Transfer - CVE-2023-35708

A critical security vulnerability has been discovered in Progress Software's file transfer tool named MOVEit Transfer. The vulnerability is of the SQL injection type and concerns the tool's web application.

Its exploitation could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. The consequences are:

• Unauthorized access to sensitive information.
• Alteration or modification of data integrity, for malicious purposes.

MOVEit versions affected

The following MOVEit versions are vulnerable:

• MOVEit Transfer versions prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6).
• Versions 2022.0.6 (14.0.6), 2022.1.7 (14.1.7).
• Version 2023.0.3 (15.0.3).

Indicators of compromise (IOCs)

IOCs are observable signs that an attack has taken place. For this MOVEit vulnerability, the IOCs identified so far are as follows:

• Presence of a malicious webshell named human2.aspx in the C:\MOVEitTransferwwwroot directory.
• Communications with the following IP addresses: 89.39.105[.]108, 5.252.190[.]0/24, 5.252.189-195[.]x, 148.113.152[.]144, 138.197.152[.]201 and 209.97.137[.]33.

Checks to be made

• If you're using MOVEit, check whether your version is vulnerable.
• If your version is vulnerable, check for the webshell human2.aspx in the C:\MOVEitTransfer\wwwroot directory.
• Check your firewall for communications with the IP IOCs listed above.
• No action required if you're not using MOVEit

Apply patches as soon as possible

• Patches for this vulnerability can be downloaded from this link.

Temporary measures to take

If for some reason you can't apply the patches immediately, here are some temporary measures you can take:

• Block all external HTTP/80 and HTTPS/443 traffic to your MOVEit Transfer environment in your firewall.
• Access the application temporarily via SFTP/FTPS protocols.
• MOVEit administrators are advised to access the application temporarily via an RDP connection to the server. Do not access via HTTP/HTTPS.

What to do if you find the file human2.aspx on your MOVEit server

Consider yourself hacked. Take the following steps:

• Declare a security incident, isolate the MOVEIT server and activate your incident response plan.
• Follow these recommendations (see section 2. Review, Delete and Reset)

Ongoing exploitation of the vulnerability

Several cases of exploitation of the vulnerability have been reported. In addition, the critical severity level of the vulnerability indicates that the attack is easy to execute. So act quickly if you're vulnerable.

What is a webshell?

A webshell is a malicious computer program from the shellcode family. It is launched remotely against a target that has a web/HTTP/HTTPS-only vulnerability. Exploiting the vulnerability can take control of the target, execute a malicious tool remotely (Trojan horse, ransomware, reverse-shell, etc.), stop the antivirus or EDR, and so on.

Antivirus, EDR and SIEM don't protect you against webshells and shellcodes.

The only tools dedicated to detecting such attacks are intrusion detection/prevention systems (IDS/IPS/NDR) and WAFs (Web Application Firewalls).

Response measures taken by Streamscan

Our MDR security monitoring team maintains 24/7 vigilance in monitoring the security of your network.

How can Streamscan help?

Cyber attacks are exploding all the time. Without continuous security monitoring, you're completely blind to the attacks targeting you. You can't defend against what you can't see.

Let us put our eyes on your network. Join our MDR managed monitoring platform powered by our IDS/IPS named CDS and protect yourself from cyberattacks.

Contact us at +1 877 208-9040 or talk to one of our experts.