MOVEit Vulnerability Exploited in Wild
Share this:
Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer product to steal data from organizations.
MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.
The vulnerability is a SQL injection vulnerability, it an be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.
Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
The vulnerability affects all MOVEit Transfer versions. It doesn’t affect the cloud version of the product. All MOVEit Transfer versions are affected by this vulnerability,”. Patches are made available for versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5),2023.0.1 (15.0.1). The vulnerability is yet to be assigned a CVE and CVS score.
Multiple security firms are warning that the vulnerability has been actively exploited in the wild.
GreyNoise researchers have observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023, for this reason, the experts recommend Progress customers to review potentially malicious activity that was recorded in the last 90 days.
Rapid7 researchers discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.
Threat actors exploit the vulnerability to establish a webshell (‘human2.aspx’) in the ‘wwwroot’ folder of the MOVEit software.
- Deny all HTTP (TCP/80) and HTTPS (TCP/443) traffic to the MOVEit environment.
- Isolate the servers by blocking inbound and outbound traffic and inspecting the environments for possible indicators of compromise, and if so, deleting them before applying the fixes.
Indicators of Compromise
- 5.252.189.0/24
- 5.252.190.0/24
- 5.252.191.0/24
- 198.27.75.110
- 209.222.103.170
- 84.234.96.104
- 138.197.152.201
- 209.97.137.33
- 148.113.152.144
- 89.39.105.108
- 5.252.23.116
- 5.252.25.88
- 198.12.76.214
- 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
- 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
- 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
- 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59
- 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166
- 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8
- a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986
- b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03
- cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621
- ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c
- 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
- 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
- 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
- 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59
- 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166
- 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8
- a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986
- b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03
- cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621
- ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c
