Yet more MOVEit mayhem!
“Disable HTTP and HTTPS traffic to MOVEit Transfer,” says Progress Software, and the timeframe for doing so is “immediately”, no ifs, no buts.
Progress Software is the maker of file-sharing software MOVEit Transfer, and the hosted MOVEit Cloud alternative that’s based on it, and this is its third warning in three weeks about hackable vulnerabilities in its product.
At the end of May 2023, cyberextortion criminals associated with the Clop ransomware gang were found to be using a zero-day exploit to break into servers running the MOVEit product’s web front-end.
By sending deliberately malformed SQL database commands to a MOVEit Transfer server via its web portal, the criminals could access database tables without needing a password, and implant malware that allowed them to return to compromised servers later on, even if they’d been patched in the meantime.
The attackers have apparently been stealing trophy company data, such as employee payroll details, and demanding blackmail payments in reurn for “deleting” the stolen data.
We explained how to patch, and what you could look for in case the crooks had already paid you a visit, back at the start of June 2023:
That warning was followed, last week, by an update from Progress Software.
While investigating the zero-day hole that they’d just patched, Progress developers uncovered similar programming flaws elsewhere in the code.
The company therefore published a further patch, urging customers to apply this new update proactively, assuming that the crooks (whose zero-day had just been rendered useless by the first patch) would also be keenly looking for other ways to get back in.
Unsurprisingly, bugs of a feather often flock together, as we explained in this week’s Naked Security podcast:
[On 2023-06-09, Progress put] another patch out to deal with similar bugs that, as far as they know, the crooks haven’t found yet (but if they look hard enough, they might).
And, as weird as that sounds, when you find that a particular part of your software has a bug of a particular sort, you shouldn’t be surprised if, when you dig deeper…
…you find that the programmer (or the programming team who worked on it at the time that the bug you already know about got introduced) committed similar errors around the same time.
Third time unlucky
Well, lightning has apparently just struck the same place for the third time in quick succession.
This time, it seems as though someone performed what’s known in the jargon as a “full disclosure” (where bugs are revealed to the world at the same time as to the vendor, thus giving the vendor no breathing room to publish a patch proactively), or “dropping an 0-day”.
Progress has just reported:
Today [2023-06-15], a third-party publicly posted a new [SQL injection] vulnerability. We have taken HTTPS traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPS traffic to safeguard their environments while the patch is finalized. We are currently testing the patch and we will update customers shortly.
Simply put, there’s a brief zero-day period during which a working exploit is circulating, but the patch isn’t ready yet.
As Progress has mentioned before, this group of so-called command injection bugs (where you send in what ought to be harmless data that later gets invoked as a server command) can only be triggered via MOVEit’s web-based portal, using HTTP or HTTPS requests.
Fortunately, that means you don’t need to shut down your entire MOVEit system, only web-based access.
What to do?
Quoting from Progress Software’s advice document dated 2023-06-15:
Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
- Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443.
- It is important to note that until HTTP and HTTPS traffic is enabled again:
- Users will not be able to log on to the MOVEit Transfer web UI.
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work.
- REST, Java and .NET APIs will not work.
- MOVEit Transfer add-in for Outlook will not work.
- SFTP and FTP/s protocols will continue to work as normal
Keep your eyes out for the third patch in this saga, at which point we assume that Progress will give the all-clear to turn web access back on…
…though we’d sympathise if you decided to keep it turned of for a while longer, just to be sure, to be sure.
THREAT HUNTING TIPS FOR SOPHOS CUSTOMERS