CISA Advises Customers of Progress Software to MOVEit
By: Jim Stickley and Tina Davis
June 8, 2023
Progress Software's MOVEit Transfer, a managed file transfer application, has been extensively exploited due to a critical vulnerability, according to Huntress and Rapid7. The vulnerability, identified as CVE-2023-34362, is a severe SQL injection flaw that can result in escalated privileges and unauthorized access to systems.
According to reports, approximately 2,500 instances of MOVEit Transfer were exposed to the public internet as of May 31, 2023, with a majority of them located in the United States. Exploiting this vulnerability allows attackers to deploy a web shell named "human2.aspx" in the "wwwroot" directory, enabling them to exfiltrate various data stored by the local MOVEit service. The attack chain also involves creating new admin user account sessions named "Health Check Service" to evade detection.
As a result, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert, urging users and organizations to take mitigation steps to protect against malicious activities. Recommendations include isolating servers by blocking inbound and outbound traffic, inspecting environments for possible indicators of compromise (IoCs), and deleting them before applying fixes.
Threat actors targeting enterprise file transfer systems have been focusing on various industries across countries such as Canada, India, the United States, Italy, Pakistan, and Germany. These attacks have proven to be lucrative for stealing critical data from multiple victims simultaneously. While the exact motives behind these attacks are unclear, they could potentially involve extortion. Consequently, victim organizations should anticipate the possibility of receiving extortion email messages in the near future.
Dealing with cyber extortion threats can be a stressful and challenging situation. Here are some tips to help handle such threats:
- Stay calm and assess the situation: It's important to remain composed and evaluate the credibility and severity of the threat before taking any action. Sometimes, cyber extortion threats may turn out to be empty claims.
- Preserve evidence: Keep records of any communication or evidence related to the extortion attempt. This can be useful for law enforcement agencies and cybersecurity experts in investigating the incident.
- Do not engage or negotiate with the attackers: Avoid responding to the threat or engaging in any form of negotiation with the extortionist. Responding can encourage further extortion attempts and may not guarantee a resolution.
- Contact law enforcement: Report the incident to your local law enforcement agency or cybercrime unit. Provide them with all available evidence and details about the extortion attempt.
- Inform your organization or superiors: If the extortion attempt targets your workplace or involves company data, inform your organization's IT department or management about the incident. They can take appropriate steps to safeguard the organization's interests.
- Strengthen security measures: Review and enhance your cybersecurity practices. This may include implementing stronger access controls, regularly updating software and systems, educating employees about phishing and social engineering threats, and using robust encryption and backup mechanisms.
Remember, prevention is key. By adopting proactive cybersecurity measures and educating yourself and your organization about potential threats, you can reduce the risk of falling victim to cyber extortion attempts.