Yet more MOVEit mayhem!
“Disable HTTP and HTTPS traffic to MOVEit Transfer,” says Progress Software, and the timeframe for doing so is “immediately”, no ifs, no buts,
Progress Software is the maker of file-sharing software MOVEit Transfer, and the hosted MOVEit Cloud alternative that’s based on it, and this is its third warning in three weeks about hackable vulnerabilities in its product.
At the end of May 2023, cyberextortion criminals associated with the Clop ransomware gang were found to be using a zero-day exploit to break into servers running the MOVEit product’s web front-end.
By sending deliberately malformed SQL database commands to a MOVEit Tranfer server via its web portal, the criminals could access database tables without needing a password, and implant malware that allowed them to return to compromised servers later on, even if they’d been patched in the interim.
We explained how to patch, and what you could look for in case the crooks had already paid you a visit, back at the start of June 2023:
MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…
The attackers have apparently been stealing trophy company data, such as employee payroll details, and demanding blackmail payments in reurn for “deleting” the stolen data.
Second warning
That warning was followed, last week, by an update from Progress Software to say that, while investigating the zero-day hole that they’d already patched, they found similar programming flaws elsewhere in the code.
The company therefore published a further patch, urging customers to apply these new fixes proactively, assuming that the crooks (whose zero-day had just been rendered useless by the first patch) would also be keenly looking for other ways to get back in.
More MOVEit mitigations: new patches published for further protection
Unsurprisingly, bugs of a feather often flock together, as we explained in this week’s Naked Security podcast:
[On 2023-06-09, Progress put] another patch out to deal with similar bugs that, as far as they know, the crooks haven’t found yet (but if they looked hard enough, they might).
And, as weird as that sounds, when you find that a particular part of your software has a bug of a particular sort, you shouldn’t be surprised if, when you dig deeper…
…you find that the programmer (or the programming team who worked on it at the time that the bug you already know about got introduced) committed similar errors around the same time.
Third time unlucky
Well, lightning has apparently just struck the same place for the third time in quick succession.
This time, it seems as though someone performed what’s known in the jargon as a “full disclosure” (where bugs are revealed to the world at the same time as to the vendor, thus giving the vendor no breathing room to publish a patch proactively), or “dropping an 0-day”.
Progress has just reported:
Today [2023-06-15], a third-party publicly posted a new [SQL injection] vulnerability. We have taken HTTPS traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPS traffic to safeguard their environments while the patch is finalized. We are currently testing the patch and we will update customers shortly.
Simply put, there’s a brief zero-day period during which a working exploit is circulating, but the patch isn’t ready yet.
As Progress has mentioned before, this group of so-called command injection bugs (where you send in what ought to be harmless data that later gets invoked as a system command) can only be triggered via MOVEit’s web-based (HTTP or HTTPS) portal.
Fortunately, that means you don’t need to shut down your entire MOVEit system, only web-based access.
What to do?
Quoting from Progress Software’s advice document dated 2023-06-15:
Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
- Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
- It is important to note that until HTTP and HTTPS traffic is enabled again:
- Users will not be able to log on to the MOVEit Transfer web UI.
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
- REST, Java and .NET APIs will not work.
- MOVEit Transfer add-in for Outlook will not work.
- SFTP and FTP/s protocols will continue to work as normal
Keep your eyes out for the third patch in this saga, at which point we assume that Progress will give the all-clear to turn web access back on…
…though we’d sympathise if you decided to keep it turned of for a while longer, just to be sure, to be sure.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- EVM Finance. Unified Interface for Decentralized Finance. Access Here.
- Quantum Media Group. IR/PR Amplified. Access Here.
- PlatoAiStream. Web3 Data Intelligence. Knowledge Amplified. Access Here.
- Source: https://nakedsecurity.sophos.com/2023/06/15/moveit-mayhem-3-disable-http-and-https-traffic-immediately/
- :has
- :is
- :not
- :where
- 1
- 15%
- 2023
- 25
- 80
- a
- Able
- About
- Absolute
- access
- again
- All
- already
- also
- alternative
- an
- and
- Another
- APIs
- Apply
- ARE
- around
- AS
- associated
- At
- author
- auto
- Automation
- back
- background-image
- based
- BE
- been
- before
- Blackmail
- border
- Bottom
- breach
- Break
- breathing
- Bug
- bugs
- but
- by
- CAN
- case
- Center
- circulating
- Cloud
- code
- color
- committed
- company
- Compromised
- continue
- could
- cover
- Criminals
- Currently
- Customers
- cyberextortion
- data
- data breach
- Database
- dated
- deal
- decided
- demanding
- details
- DIG
- Display
- do
- doing
- Dont
- down
- during
- elsewhere
- Employee
- enabled
- end
- enough
- Entire
- Environment
- environments
- Errors
- Even
- explained
- Exploit
- Eyes
- far
- finalized
- Find
- firewall
- First
- flaws
- Flock
- followed
- For
- found
- from
- further
- Gang
- Gangs
- get
- Give
- Giving
- Group
- had
- Hard
- Have
- height
- Hole
- host
- hosted
- hover
- How
- How To
- http
- HTTPS
- if
- immediately
- important
- in
- into
- introduced
- invoked
- IT
- ITS
- jargon
- Java
- june
- just
- Keep
- Know
- known
- Last
- later
- left
- light
- lightning
- like
- log
- longer
- Look
- looked
- looking
- maker
- malware
- Margin
- max-width
- May..
- means
- mentioned
- might
- more
- Naked Security
- native
- Need
- needing
- net
- New
- newly
- no
- normal
- of
- often
- on
- only
- or
- Other
- out
- Outlook
- paid
- part
- particular
- Password
- Patch
- Patches
- Paul
- payments
- Payroll
- performed
- period
- Place
- plato
- Plato Data Intelligence
- PlatoData
- Point
- Portal
- position
- posted
- Posts
- Product
- Programmer
- Programming
- Progress
- protocols
- publicly
- publish
- published
- put
- Quick
- RAIN
- ransomware
- ready
- relative
- return
- Revealed
- right
- Room
- rules
- running
- saga
- same
- say
- says
- security
- seems
- send
- sending
- Servers
- Shortly
- Shut down
- similar
- So
- Software
- solid
- Someone
- specifically
- start
- stolen
- such
- surprised
- SVG
- system
- Take
- taken
- tasks
- team
- Testing
- that
- The
- the world
- their
- Them
- therefore
- These
- they
- Third
- third-party
- this
- though?
- three
- Through
- time
- timeframe
- to
- together
- top
- traffic
- transfer
- transition
- transparent
- triggered
- TURN
- Turned
- ui
- until
- Update
- urging
- URL
- use
- used
- using
- vendor
- via
- Visit
- Vulnerabilities
- vulnerability
- warning
- was
- ways
- we
- web
- web-based
- week
- Weeks
- were
- What
- when
- which
- while
- WHO
- whose
- why
- width
- will
- with
- without
- Work
- worked
- working
- world
- would
- yet
- You
- Your
- zephyrnet
![S3 Ep91: CodeRed, OpenSSL, Java bugs and Office macros [Podcast + Transcript] PlatoBlockchain Data Intelligence. Vertical Search. Ai.](http://platoblockchain.com/wp-content/uploads/2022/07/nsp-1200-300x157.png "S3 Ep91: CodeRed, OpenSSL, Java bugs and Office macros [Podcast + Transcript]")
![S3 Ep 126: The price of fast fashion (and feature creep) [Audio + Text]](http://platoblockchain.com/wp-content/uploads/2023/03/s3-ep-126-the-price-of-fast-fashion-and-feature-creep-audio-text-300x156.png "S3 Ep 126: The price of fast fashion (and feature creep) [Audio + Text]")