Experts Blog

MOVEit File Transfer Tool Hack: The Basics 

On June 1, Progress Software (Progress) announced it had identified a vulnerability in its MOVEit File Transfer Tool. The vulnerability allowed cybercriminals to exploit a critical SQL injection that could lead to escalated privileges and potential unauthorized access to the environment. Progress has since released fixes for the affected versions of MOVEit and is currently recommending organizations disable any web traffic to MOVEit until all patches are applied.

The MOVEit File Transfer tool is widely used by organizations – including many federal and state government agencies as well as major corporations – to share large files and data sets over the internet. In recent years, cybercriminals and cyber gangs have increasingly targeted file transfer software. In January 2023, for example, the Russa-linked ransomware gang, Cl0p, claimed responsibility for exploiting a vulnerability in Fortra’s GoAnywhere file transfer service.

MOVEit File Transfer Tool Vulnerability: Impact of the Vulnerability

Currently, it is unclear when the exploitation began but some activity suggests early March. There are are an estimated 2,500 instances of the MOVEit tool running online, but Progress has not disclosed the organizations currently using MOVEit. To that end, it is important for any organization that currently uses or has used MOVEit in the past to prepare for a potential extortion or publication of stolen data. In the United Kingdom, payroll provider, Zellis, recently shared that eight of its corporate customers, including the BBC and British Airways, were affected by this vulnerability.

MOVEit File Transfer Tool Vulnerability: What You Can Do 

Progress has released the following mitigation steps your organization can adopt while the software company works on a permanent patch for the MOVEit file transfer tool.

• Disable all HTTP and HTTPs traffic to their MOVEit Transfer environment by modifying firewall rules to deny HTTP and HTTPs traffic on ports 80 and 443 until the patch can be applied.

• Delete unauthorized files and user accounts while also resetting any service account credentials for affected systems.

• Verify and confirm deletion after deleting the files and no unauthorized accounts remain.

• Apply any relevant patches as they become available.

Finally, as with any other evolving cybersecurity threat, organizations must continue to regularly conduct cybersecurity assessments, enable multi-factor authentication on all software, train all employees in identifying suspicious cybersecurity activities, and maintain the latest, most up-to-date software and patches.

How Fortalice Can Help 

Corporate file-transfer tools are increasingly becoming an attractive target for cybercriminals and by exploiting a vulnerability they can steal the data of multiple victims. Fortalice stands ready to help you and your organization. Our team is here to help you continue to create operational efficiencies for your employees without providing would-be cybercriminals with additional vectors to launch successful attacks. Here are our top 8 tips that we have compiled based upon reviewing the information related to this issue:

Stay vigilant: Be aware that hackers are actively exploiting a zero-day vulnerability in MOVEit Transfer software, and it's crucial to take immediate action to protect your organization.

Update and patch: Install the latest patches provided by Progress Software for your MOVEit Transfer version. This will address the critical vulnerability and help secure your environment.

Act swiftly: Don't delay in shutting down any MOVEit Transfers until a thorough investigation is conducted to ensure there has been no compromise. Prioritize security before bringing the server live again.

Fortify web-facing security: Block external traffic to ports 80 and 443 on the MOVEit Transfer server to prevent external access to the web user interface. Although this may affect some functionalities, it is essential for mitigating the vulnerability.

Monitor for unusual files: Regularly check the 'c:\MOVEit Transfer\wwwroot' folder for unexpected files, including backups or large downloads. These could indicate a potential breach or ongoing data theft.

Implement strong passwords: Ensure that your MOVEit Transfer environment and related accounts have strong, unique passwords. Consider using password managers and enforcing password policies across your organization.

Enhance network monitoring: Implement robust monitoring solutions to detect and track any suspicious activities within your MOVEit Transfer environment. Promptly investigate any potential security incidents.

Stay informed and collaborate: Stay updated on the latest developments regarding the vulnerability and work closely with your local FBI cyber team as well as your security professionals, vendors, and industry peers to share information and best practices.

If you need additional assistance, the Fortalice team stands ready to assist you in assessing your current risk and road mapping your organization’s future cybersecurity posture. You can reach the Fortalice team at watchmen@fortalicesolutions.com.

‍

Stay up to date with recent information and patches from Progress Software in their Critical Vulnerability Status Documentation.