MOVEit is a managed file transfer software produced by Ipswitch, Inc. MOVEit encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics and failover options. If you are a MOVEit customer, you want to be aware of a critical vulnerability being exploited. Here is the warning from Rapid7. They also have a blog post with more details.
Information about this vulnerability is evolving quickly. We will update our blog with further information as it becomes available.
Rapid7 managed services teams are continuing to investigate compromises stemming from exploitation of CVE-2023-34362, a critical vulnerability in Progress Software’s MOVEit Transfer solution that allows unauthenticated attackers to gain unauthorized access to the application’s database. Please note: It is critical that MOVEit customers capture application log data before wiping or restoring the application from an earlier backup.
Rapid7 incident response consultants have identified a method to determine which data was exfiltrated from compromised MOVEit environments, which we have detailed in full in our blog. Affected organizations and incident responders can use this information to identify which data and how much was exfiltrated, which may also aid in meeting regulatory compliance standards where applicable.
Our teams have observed indicators of compromise dating back to at least May 27, 2023 — four days before the vulnerability was disclosed and patched. Rapid7 has confirmed that data was exfiltrated from compromised MOVEit customer environments as early as May 28, 2023.
Mitigation guidance
Fixed versions of MOVEit Transfer are available. MOVEit Transfer customers should prioritize mitigation on an emergency basis, invoking emergency incident response procedures if any indicators of compromise are discovered. Per the MOVEit advisorypublished on May 31, 2023, organizations should look for indicators of compromise dating back at least a month.
Rapid7 Customers
An authenticated vulnerability check is available to InsightVM and Nexpose customers as of the June 1, 2023 content release.
The following rules have been added for Rapid7 InsightIDR and Managed Detection and Response (MDR) customers:
- Suspicious Web Request – Webshell Related To MOVEit Exploit
- Suspicious Process – MOVEit Transfer Exploitation
A Velociraptor artifact is also available to assist with threat hunting.
For more information and updates, check out our blog.