A bunch of people have alerted me to a vulnerability in #MoveIT, a secure file transfer app used heavily in the UK.
I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups.
Really serious, impacted orgs should shut down the server. Thread follows. #threatintel
I would recommend orgs who run #MoveIT Transfer do three things:
- Remove network connectivity/contain
- Check for newly created or altered .asp* files
- Retain a copy of all IIS logs and network data volume logs.
Webshells have been getting dropped. Microsoft Safety Scanner is a good tool to run. https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download
With #MoveIT Transfer, stuff I know so far:
- Huge US footprint, including US government. It's quite expensive, so mostly western enterprises.
- It's definitely a zero day, although vendor doesn't want to say it obvs.
- Every one online is still vulnerable. This includes some big banks etc.
- Webshells started being planted a few weeks ago, multiple incidents running at multiple orgs during that timeframe who detected activity.
Vendor appears pretty responsive and good so far.
More info about one of the #MoveIT webshells in this write up
YARA rule for that webshell https://github.com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara
Example file (0 AV detection still) https://www.virustotal.com/gui/file/387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a/summary
Just been on a quick call with industry peeps looking at what known attacker IPs were interacting with over the weekend - #MoveIT boxes in the US and SaaS.
It vuln itself allows RCE, not just webshells, so I think Mandiant and DART are gonna get some IR hours.
While I’m here - make sure MoveIT Transport is in a real DMZ. Your shit would still have been stolen but it stops them moving internally.
It looks like a significant amount of data exfiltration may have happened re #MoveIT. Another problem - it can use cloud bucket storage for data, and storage access keys got taken and need rotating: data access still possible in those situations.
There are conflicting signals re exploitation - while it’s clear a smash and grab happened at weekend, there’s signs exploit was used prior to weekend.
Kevin Beaumont
Thomas Griffiths