Vulnerability in MOVEit Transfer

A Vulnerability has been discovered in Progress Moveit Transfer, which could allow for potential unauthorized access to the environment, escalated privileges, and remote code execution. MOVEit Transfer is a managed file transfer software that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat Intelligence There is threat intelligence of this vulnerability being exploited in the wild.
Systems Affected
MOVEit Transfer prior to 2023.0.1 MOVEit Transfer prior to 2022.1.5 MOVEit Transfer prior to 2022.0.4 MOVEit Transfer prior to 2021.1.4 MOVEit Transfer prior to 2021.0.6
Risk
Government:
– Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Technical Summary A vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. Successful exploitation allows attackers to download and steal sensitive information such as list of stored files, usernames who uploaded the files, file paths, configured Azure Blob Storage accounts, data from Azure Blob Storage containers, data from servers, and so on. The attackers can also insert and delete a new random named MOVEit Transfer user with the login name ‘Health Check Service’ and create new MySQL sessions. Progress Software is advising MOVEit customers to check for indicators of unauthorized access over “at least the past 30 days”, as well as other remediation recommendations.
Recommendations
In addition to Progress remediation recommendations, the following actions are recommend to be taken:
Ensure your MOVEit application is receiving and applying updates, definitions, and security patches and mitigations recommended by Progress. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Block execution of code on a system through application control, and/or script blocking.  Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.  Use signatures or heuristics to detect malicious software.