Kevin BeaumontJun 1, 2023

A bunch of people have alerted me to a vulnerability in #MoveIT, a secure file transfer app used heavily in the UK.

I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups.

Really serious, impacted orgs should shut down the server. Thread follows. #threatintel

Show threadKevin BeaumontJun 1, 2023
Vendor advisory on #MoveIT https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023?utm_medium=email&utm_source=eloqua&elqTrackId=8fb5ca12495f444f8edd44fd2dccb5a8&elq=32a68db8e7f64ee4b43c39dd90b972e6&elqaid=31439&elqat=1&elqCampaignId=38129
Progress Customer Community

Show threadKevin BeaumontJun 1, 2023
#MoveIT Transfer looks like this, it’s an enterprise MFT solution. It looks like somebody has been stealing stuff.
Show threadKevin BeaumontJun 1, 2023
If it turns out to be a ransomware group again this is will be the second enterprise MFT zero day in a year, cl0p went wild with GoAnywhere recently. Also their third MFT zero day.
Show threadKevin BeaumontJun 1, 2023

I would recommend orgs who run #MoveIT Transfer do three things:

- Remove network connectivity/contain
- Check for newly created or altered .asp* files
- Retain a copy of all IIS logs and network data volume logs.

Webshells have been getting dropped. Microsoft Safety Scanner is a good tool to run. https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download

Microsoft Safety Scanner Download

Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers.

Show threadKevin BeaumontJun 1, 2023
🫣
Show threadJason?
@GossiTheDog to be fair, there's probably been very little data loss. In fact, I bet there are numerous copies now.
Jun 1, 2023 at 5:38pmWeb