Kevin BeaumontJun 1, 2023

A bunch of people have alerted me to a vulnerability in #MoveIT, a secure file transfer app used heavily in the UK.

I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups.

Really serious, impacted orgs should shut down the server. Thread follows. #threatintel

Show threadKevin BeaumontJun 1, 2023
Vendor advisory on #MoveIT https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023?utm_medium=email&utm_source=eloqua&elqTrackId=8fb5ca12495f444f8edd44fd2dccb5a8&elq=32a68db8e7f64ee4b43c39dd90b972e6&elqaid=31439&elqat=1&elqCampaignId=38129
Progress Customer Community

Show threadKevin BeaumontJun 1, 2023
#MoveIT Transfer looks like this, it’s an enterprise MFT solution. It looks like somebody has been stealing stuff.
Show threadKevin BeaumontJun 1, 2023
If it turns out to be a ransomware group again this is will be the second enterprise MFT zero day in a year, cl0p went wild with GoAnywhere recently. Also their third MFT zero day.
Show threadKevin BeaumontJun 1, 2023

I would recommend orgs who run #MoveIT Transfer do three things:

- Remove network connectivity/contain
- Check for newly created or altered .asp* files
- Retain a copy of all IIS logs and network data volume logs.

Webshells have been getting dropped. Microsoft Safety Scanner is a good tool to run. https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download

Microsoft Safety Scanner Download

Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers.

Show threadKevin BeaumontJun 1, 2023
🫣
Show threadKevin BeaumontJun 1, 2023
Today is going to be fun. #MoveIT
Show threadKevin BeaumontJun 1, 2023
https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
New MOVEit Transfer zero-day mass-exploited in data theft attacks

Hackers are actively exploiting a zero-day vulnerability in the MOVEit Transfer file transfer software, tracked as CVE-2023-34362, to steal data from organizations.

BleepingComputer
Show threadKevin BeaumontJun 1, 2023

With #MoveIT Transfer, stuff I know so far:

- Huge US footprint, including US government. It's quite expensive, so mostly western enterprises.

- It's definitely a zero day, although vendor doesn't want to say it obvs.

- Every one online is still vulnerable. This includes some big banks etc.

- Webshells started being planted a few weeks ago, multiple incidents running at multiple orgs during that timeframe who detected activity.

Vendor appears pretty responsive and good so far.

Show threadKevin BeaumontJun 1, 2023
One additional update on #MoveIT - I'm reliably told this incident also impacted their SaaS cloud offering of the same product. They may have to wordsmith around this.
Show thread*sigh*Ber nard
@GossiTheDog Ipswitch FTP, now there's a blast-from-the-past! That was, ... before browsers did ftp???
Jun 1, 2023 at 5:33pmWeb