Finding MOVEit File Transfer Services

Reports of active exploitation of a zero-day vulnerability in the MOVEit file transfer software are making the rounds this week. The vendor, Progress Software, has released an advisory and this issue has now been assigned CVE-2023-34362. Attackers are abusing a SQL injection vulnerability in the web interface of MOVEit to deploy a web shell and gain access to the data stored within the platform.

What is the MOVEit Managed File Transfer service? #

The MOVEit Managed File Transfer is Windows-based application that supports secure file transfers through a web interface, as well as using SSH and SFTP. Progress Software states that “MOVEit provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA and GDPR”. MOVEit is widely used for transferring sensitive information between a regulated organization and outside parties. MOVEit services are exposed to the internet by design, as this is necessary for users outside of the organization to use the service.

What is the impact? #

Multiple security service providers, including Rapid7 are reporting active exploitation of this issue, with the attack resulting in the installation of “web shell”, often accessed through the path “/human2.aspx”. Progress Software’s advisory indications that users should look for indicators of compromise (IoCs) going back at least 30 days, indicating that this issue may have been actively exploited for weeks, and is only now coming to light. A compromise of the MOVEit server can lead to full exposure of all files managed by the service, access to the user database of the service, and could provide a foothold into the organization’s network, depending on network segmentation rules.

Are updates available? #

On May 31th, Progress posted an advisory, including a download link to a patch. This advisory also describe some of the indicators of compromise and what paths and types of logs to look for to determine if the system was breached.

How do I find potentially vulnerable Progress MOVEit Managed File Transfer services with runZero? #

From the Service inventory, use the following prebuilt query to locate all Progress MOVEit Managed File Transfer web services across your network:

_asset.protocol:http protocol:http (http.head.setCookie:"MIDMZLang" OR favicon.ico.image.md5:9dffe2772e6553e2bb480dde2fe0c4a6)

Results from the above query should be reviewed for indicators of compromise and updated with the latest patch from Progress.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Get runZero for free

Don’t have runZero and need help finding MOVEit Managed File Transfer services?

Get started