On May 31, 2023, Progress released a security advisory warning customers of a critical zero-day vulnerability being actively exploited in MOVEit Transfer, a managed file transfer (MFT) solution. The exploitation of this vulnerability could lead to escalated privileges and potential unauthorized access to an environment, allowing threat actors to steal data and extort organizations. This vulnerability is being tracked as CVE-2023-34362 and affects all versions of MOVEit Transfer products, including EOL versions. Patches have been released by Progress in their advisory here.
Arctic Wolf has observed this vulnerability being actively exploited in the wild in campaigns where Webshells are being loaded onto victim systems. The Webshells we observed were all named human2.aspx. Each Webshell we observed had a unique hash since the threat actors configured a unique password on each for access. Webshells provide threat actors with the capability to execute commands remotely on target systems and provide a persistence mechanism.
Arctic Wolf has not attributed this campaign to a specific threat actor; however, we have observed similar types of vulnerabilities in file transfer products like GoAnywhere MFT being exploited in the past by ransomware actors to exfiltrate sensitive data and extort victims for a ransom payment under the threat of leaking their data.
We continue to deploy detections in the Arctic Wolf platform to cover TTPs and IOCs observed in this campaign.
Recommendations For CVE-2023-34362
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
Recommendation #1: Apply Patches from Progress
Patches for all supported MOVEit Transfer versions are available below. Supported versions are listed at the following link:
We strongly recommend that customers running EOL versions of MOVEit Transfer migrate to a supported version as there is no patch available for EOL versions.
|Affected Version||Fixed Version||Documentation|
|MOVEit Transfer 2023.0.0||MOVEit Transfer 2023.0.1||MOVEit 2023 Upgrade Documentation|
|MOVEit Transfer 2022.1.x||MOVEit Transfer 2022.1.5||MOVEit 2022 Upgrade Documentation|
|MOVEit Transfer 2022.0.x||MOVEit Transfer 2022.0.4|
|MOVEit Transfer 2021.1.x||MOVEit Transfer 2021.1.4||MOVEit 2021 Upgrade Documentation|
|MOVEit Transfer 2021.0.x||MOVEit Transfer 2021.0.6|
Recommendation #2: Prevent Unauthorized Access
If you are unable to apply the patches provided by the vendor, Progress recommends that you apply the following mitigation measures to help prevent unauthorized access to your MOVEit Transfer environment.
As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help: Progress Documentation
Step 1: Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
- Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
- It is important to note, that until HTTP and HTTPS traffic is enabled again:
- Users will not be able to log on to the MOVEit Transfer web UI
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work
- REST, Java and .NET APIs will not work
- MOVEit Transfer add-in for Outlook will not work
- Please note: SFTP and FTP/s protocols will continue to work as normal