Here we go again.
Yesterday, Progress Software disclosed a SQL injection vulnerability in the widely deployed MOVEit Transfer web application. Two months ago, Fortra, the company behind Cobalt Strike, disclosed a zero-day remote code execution (RCE) vulnerability in its GoAnywhere managed file transfer tool.
According to yesterday’s news, Progress Software's MOVEit Transfer managed file transfer application has come under widespread exploitation in the wild to take over vulnerable systems. On June 1, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory for MOVEit Transfer, and a CVE identifier has been assigned.
This is a critical issue, affecting both the security of data and the stability of systems using the software. Here’s what you need to know about the vulnerability and next steps.
What is the MOVEit Zero-Day Vulnerability?
Progress Software’s MOVEit Transfer is a widely used managed file transfer software that provides secure collaboration and automates the movement of sensitive data between users, systems, and businesses. Cybersecurity researchers recently discovered a zero-day vulnerability in MOVEit, which applies to all versions of MOVEit Transfer, according to Progress Software. A patch for the vulnerability was released this morning.
This vulnerability allows an attacker to execute arbitrary code remotely on the victim's system. The flaw in MoveIT Transfer is a severe SQL injection vulnerability, allowing attackers to gain unauthorized access to databases and potentially escalate privileges.
This loophole is due to an insecure file handling mechanism in MOVEit, which fails to properly sanitize user-provided input. This allows an attacker to upload malicious files to the server, initiating a remote code execution (RCE) attack. This type of attack could potentially give the attacker full control over the victim’s system. The SQL injection vulnerability in MoveIT Transfer can enable attackers to access sensitive data stored in the application's database. Successful exploitation of the flaw can result in the deployment of a web shell, which can be used to exfiltrate data from the compromised system.
How is the MOVEit Transfer Vulnerability Being Exploited?
BleepingComputer has reported that threat actors are already exploiting the vulnerability to perform mass data downloads from organizations. Threat intelligence firms have observed scanning activity targeting MoveIT Transfer installations, indicating an increased interest from threat actors. This highlights the importance of moving quickly to remediate risk by patching the vulnerability, and or considering alternative solutions for large file sharing with stronger security.
What Data Is at Risk?
Given the nature of MOVEit as a file transfer solution — and the fact that the vulnerability is already being exploited in the wild for data exfiltration — the types of data at risk could be vast and potentially catastrophic for businesses. This could include confidential customer information, financial data, intellectual property, or other sensitive proprietary data — and that includes both data managed directly within MOVEit as well as other data on the customer’s server.
More specifically, since the vulnerability allows for remote code execution, attackers could gain full control of the system running MOVEit. They could then manipulate, steal, or even destroy data, disrupt services, and use the compromised system as a launching pad for further attacks.
What Should Technology Leaders Do?
1. Mitigate the Potential for Additional Data Loss
Minimally, terminate public traffic to the application server and/or compromised ports. Consider implementing compensatory controls such as network segmentation, limiting access to the MOVEit system, and enhancing monitoring for any suspicious activities.
2. Apply Patches Immediately
Progress Software and its subsidiary, Ipswitch, have released a patch.
3. Understand What Data Was Exposed and Potentially Exploited
Look to trusted sources to understand an active attack’s behavior. In the case of this MOVEit Transfer vulnerability, review audit logs for potentially unexpected activity and look specifically for various commands using 'X-siLock-Step1', 'X-siLock-Step2', and 'X-siLock-Step3' request headers.
4. Assess Your Risk
This incident should trigger a comprehensive risk assessment of your data management systems. Consider the nature of your data, how it is transferred, and how a breach could impact your organization. This is especially critical for organizations that must meet strict compliance regulations like ITAR, CMMC, HIPAA, CJIS, etc.
5. Update Incident Response Plans
This is an excellent time to review and, if necessary, update your incident response plan. Ensure your team knows what steps to take if a breach is detected.
3 Reasons to Consider Virtru Secure Share as an Alternative to Progress MOVEit Transfer
1. Platform Matters
Virtru Secure Share offers a simple way to share large files without needing on-premises servers or manual security patches. The Virtru Platform that hosts Secure Share undergoes regular, independent, third-party audits to validate and demonstrate our commitment to the highest levels of security, including compliance with some of the most rigorous standards such as FedRAMP, SOC 2, and more. Moreover, FIPS 140-2 compliant services that meet military-grade encryption are available for all of Virtru’s products.
2. Elevated Data Security and File Encryption
Virtru products ensure that you and you alone are the final arbiter of who can decrypt your data. Host your private keys wherever you like, and let Virtru do the rest. From high-volume key exchanges to policy management, with Virtru Private Keystore, your organization can collaborate in the cloud with confidence that your data remains under your control.
3. Control Z for Data Sharing
With Virtru Secure Share, your team can easily share sensitive information with third parties and retain policy control over the files, even after they have left your possession. Granular data controls provide you and your organization complete confidence that your information is safe and secured, whether purposely shared or otherwise.
How Virtru Can Help: Try Virtru Secure Share Free for 3 Months
If your organization has been impacted by the MOVEit Transfer zero-day vulnerability — or if you’re just evaluating other secure file transfer options — Virtru can help.
We’re offering our Secure Share file-sharing service free for 3 months. Contact our team today to start the conversation and get your free access.
