Mitigation Steps for MOVEit Transfer Zero Day Vulnerability

Before You Read: This article is about a developing situation. While the steps below are accurate as of the date of this publication, we recommend visiting the Progress MOVEit Product Forum for the latest information and up-to-date mitigation steps. 

On May 31, 2023, Progress announced a critical vulnerability in their file transfer software product called MOVEit Transfer. In this article, we're going to give you a quick summary of what you need to know, including what MOVEit Transfer is, what you need to know about the vulnerability, how to know if you're affected, and what steps you may need to take.

About MOVEit Transfer

MOVEit Transfer is a secure managed file transfer (MFT) application by a company called Progress. MOVEit Transfer was originally developed by a company called Ipswitch who was acquired by Progress in 2019.

About the Vulnerability

A SQL injection vulnerability was discovered which could allow an unauthenticated malicious actor to gain unauthorized access to the MOVEit Transfer database. Once in, the malicious actor could not only read certain databases, but could also potentially modify and/or delete information from the database.

The vulnerability has been assigned CVE-2023-34362. Refer to the NIST National Vulnerability Database (NVD) for more information.

Are You Affected?

Your organization may be affected by this vulnerability if you:

• Use MOVEit Transfer. Check your IT asset inventory and/or vendor list to determine if your organization has a relationship with this third party. Be sure to look for other names the vendor may go by (e.g., Ipswitch, Progress, etc.).
  
  
• Use a third party who uses MOVEit Transfer. Check with your critical third-party service providers (e.g., Fiserv, Jack Henry, etc.) to determine if they use MOVEit Transfer in any of their products.

Mitigation Steps

If your organization uses MOVEit Transfer, follow the six steps outlined in the "Recommended Remediation" section of the vulnerability notification by Progress.

1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
2. Review for any unauthorized files and user accounts. Progress has provided a list of indicators of compromise (IOCs), including folder paths, file names, HTTP requests, user accounts, and IP addresses which may mean there has been a compromise.
3. Apply the patch. Check your version number to determine which patch would be the correct one to install.
4. Re-enable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
5. Verify. Confirm all IOCs have been removed. If any remain, repeat the process until all IOCs have been removed.
6. Continuous monitoring.

If your third parties use MOVEit Transfer, request a statement from them about if the vulnerability has been patched. Add the statement to your incident tracking system and vendor management program.

We encourage you to continue to monitor information provided by Progress as information about this vulnerability is still developing.

Update: June 9, 2023

On June 9, 2023, Progress announced additional vulnerabilities in the MOVEit platform, along with new recommendations for remediation and patches.

These updated vulnerabilities have been assigned CVE-2023-35036. Refer to the NIST National Vulnerability Database (NVD) for more information.

Update: June 15, 2023 

On June 15, 2023, Progress announced additional vulnerabilities in the MOVEit platform, along with new recommendations for remediation and patches. 

These updated vulnerabilities have been assigned CVE-2023-35708. Refer to the NIST National Vulnerability Database (NVD) for more information. 

Update: July 6, 2023 

On July 6, 2023, Progress announced additional vulnerabilities in the MOVEit platform, along with new recommendations for remediation and patches. 

These updated vulnerabilities have been assigned CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933. Refer to the NIST National Vulnerability Database (NVD) for more information. 

Additional Resources

For additional information, check out these resources:

• CISA & FBI Joint Cybersecurity Advisory: #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability (06/07/2023)
• CISA Alert: CISA Adds One Known Exploited Vulnerability to Catalog: CVE-2023-34362 Progress MOVEit Transfer SQL Injection Vulnerability (06/02/2023)
• CISA Alert: Progress Software Releases Security Advisory for MOVEit Transfer Vulnerability (06/15/2023)
• CISA Alert: Progress Software Releases Service Pack for MOVEit Transfer Vulnerabilities (07/07/2023)
• Office of Cybersecurity & Critical Infrastructure Protection (OCCIP) Alert on MOVEit Transfer Exploit. This resource is TLP:AMBER and is not available to the public. ICBA members can see it on the ICBA's Cyber and Data Security Resource Center. (06/04/2023)

Need Help?

The CoNetrix Technology and CoNetrix Security teams are available to answer your questions and help with the mitigation process. Contact our team through our website at CoNetrix.com/ContactUs. If you are a current customer, you can email the CoNetrix support inbox.