How to find MOVEit File Transfer Services


What is the MOVEit Managed File Transfer service? #

The MOVEit Managed File Transfer is Windows-based application that supports secure file transfers through a web interface, as well as using SSH and SFTP. Progress Software states that "MOVEit provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA and GDPR". MOVEit is widely used for transferring sensitive information between a regulated organization and outside parties. MOVEit services are exposed to the internet by design, as this is necessary for users outside of the organization to use the service.

Latest MOVEit Managed File Transfer service vulnerability #

Reports of active exploitation of a zero-day vulnerability in the MOVEit file transfer software are making the rounds this week. The vendor, Progress Software, has released an advisory and this issue has now been assigned CVE-2023-34362. Attackers are abusing a SQL injection vulnerability in the web interface of MOVEit to deploy a web shell and gain access to the data stored within the platform.

What is the impact? #

Multiple security service providers, including Rapid7 are reporting active exploitation of this issue, with the attack resulting in the installation of "web shell", often accessed through the path "/human2.aspx". Progress Software's advisory indications that users should look for indicators of compromise (IoCs) going back at least 30 days, indicating that this issue may have been actively exploited for weeks, and is only now coming to light. A compromise of the MOVEit server can lead to full exposure of all files managed by the service, access to the user database of the service, and could provide a foothold into the organization's network, depending on network segmentation rules.

Are updates available? #

On May 31th, Progress posted an advisory, including a download link to a patch. This advisory also describe some of the indicators of compromise and what paths and types of logs to look for to determine if the system was breached.

How do I find potentially vulnerable Progress MOVEit Managed File Transfer services with runZero? #

From the Service inventory, use the following prebuilt query to locate all Progress MOVEit Managed File Transfer web services across your network:

_asset.protocol:http protocol:http (http.head.setCookie:"MIDMZLang" OR favicon.ico.image.md5:9dffe2772e6553e2bb480dde2fe0c4a6)
Progress Software MOVEit Managed File Transfer web service query

Results from the above query should be reviewed for indicators of compromise and updated with the latest patch from Progress.

As always, any prebuilt queries are available from your runZero console. Check out the documentation for other useful inventory queries.

Written by HD Moore

HD Moore is the co-founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.
More about HD Moore
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2
Palo Alto Networks disclosed that versions of their PAN-OS software have a vulnerability allowing for remote command injection. Here's how to find...
Rapid Response
How to find outdated lighttpd services
Outdated versions of the open source lighttpd web server are vulnerable to a handful of security vulnerabilities
Rapid Response
How to find D-Link NAS Storage devices
D-Link has disclosed multiple vulnerabilities in their D-Link NAS Storage products. Here's how to find potentially impacted devices.
Rapid Response
How to find Brocade Fabric OS
On April 4, 2024, Broadcom disclosed a vulnerability in their Fabric OS operating system used in their Brocade storage networking devices. Here's...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved