www.techrepublic.com
Open in
urlscan Pro
2a04:4e42:400::347
Public Scan
Submitted URL: https://em.mend.io/NDM5LURGRi03MDQAAAGMWTAE_kisDXvgT2LvXenHNqDVD4E7Wvr9FfyE6Q9BSyE2mIvtpdpm5zvMiB-KoBmB_Uxe5yI=
Effective URL: https://www.techrepublic.com/article/zero-day-moveit-vulnerability/?mkt_tok=NDM5LURGRi03MDQAAAGMWTAE_mXSeWxh_c_YWX0pqN_q1MD8y...
Submission: On June 14 via api from US — Scanned from DE
Effective URL: https://www.techrepublic.com/article/zero-day-moveit-vulnerability/?mkt_tok=NDM5LURGRi03MDQAAAGMWTAE_mXSeWxh_c_YWX0pqN_q1MD8y...
Submission: On June 14 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
/search/
<form action="/search/" class="search-bar">
<label id="label-nav-site-search" for="nav-site-search"> Search </label>
<input type="search" autocomplete="off" name="q" id="nav-site-search" value="" placeholder="What are you looking for?" required="">
<button type="submit" disabled="disabled">
<svg role="img" aria-labelledby="label-nav-site-search">
<use href="#smart-search-icon"></use>
</svg>
</button>
<input type="hidden" name="o" value="1"><!-- Default to search by relevance -->
</form>POST
<form class="share-email-form" method="post">
<input type="hidden" name="share-email-title" value="Zero-day MOVEit Transfer vulnerability exploited in the wild, heavily targeting North America">
<input type="hidden" name="share-email-url" value="https://www.techrepublic.com/article/zero-day-moveit-vulnerability/">
<input type="email" name="from-email" class="read-write" placeholder="Your Email" required="">
<input type="email" name="to-email" class="read-write" placeholder="Recipient Email" required="">
<textarea name="msg" class="readonly">Check out this article I found on TechRepublic.</textarea>
<input type="submit" value="Submit">
<p class="response-msg">Your email has been sent</p>
</form>POST
<form class="share-email-form" method="post">
<input type="hidden" name="share-email-title" value="Zero-day MOVEit Transfer vulnerability exploited in the wild, heavily targeting North America">
<input type="hidden" name="share-email-url" value="https://www.techrepublic.com/article/zero-day-moveit-vulnerability/">
<input type="email" name="from-email" class="read-write" placeholder="Your Email" required="">
<input type="email" name="to-email" class="read-write" placeholder="Recipient Email" required="">
<textarea name="msg" class="readonly">Check out this article I found on TechRepublic.</textarea>
<input type="submit" value="Submit">
<p class="response-msg">Your email has been sent</p>
</form>POST
<form class="email-author-form" method="post">
<input type="hidden" name="author_id" value="37114928">
<input type="text" name="from-name" class="read-write" placeholder="Your Name" required="">
<input type="email" name="from-email" class="read-write" placeholder="Your Email" required="">
<input type="text" name="subject" class="read-write" placeholder="Subject" required="">
<textarea name="msg" placeholder="Message" required="" class="read-write"></textarea>
<input type="submit" value="Send Message">
<p class="response-msg">Your message has been sent</p>
</form>Text Content
WE VALUE YOUR PRIVACY We and our partners store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning. You may click to consent to our and our partners’ processing as described above. Alternatively you may access more detailed information and change your preferences before consenting or to refuse consenting. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. Your preferences will apply to this website only. You can change your preferences at any time by returning to this site or visit our privacy policy. MORE OPTIONSAGREE Skip to content TECHREPUBLIC Search Close Search * Top Products Lists * AI * Developer * Payroll * Security * Project Management * TechRepublic Academy * Innovation * Cheat Sheets * Big Data * Tech Jobs Toggle TechRepublic mobile menu More * TechRepublic Premium * Top Products Lists * AI * Developer * Payroll * Security * Project Management * TechRepublic Academy * Innovation * Cheat Sheets * Big Data * Tech Jobs * See All Topics * Sponsored * Newsletters * Forums * Resource Library TechRepublic Premium Join / Sign In ACCOUNT INFORMATION TechRepublic close modal Shodan search engine results for internet-facing MOVEit instances. Image: Shodan ZERO-DAY MOVEIT TRANSFER VULNERABILITY EXPLOITED IN THE WILD, HEAVILY TARGETING NORTH AMERICA * * * * * ACCOUNT INFORMATION TechRepublic close modal SHARE WITH YOUR FRIENDS Zero-day MOVEit Transfer vulnerability exploited in the wild, heavily targeting North America Check out this article I found on TechRepublic. Your email has been sent by Cedric Pernet in Security on June 6, 2023, 8:48 AM EDT ZERO-DAY MOVEIT TRANSFER VULNERABILITY EXPLOITED IN THE WILD, HEAVILY TARGETING NORTH AMERICA Read the technical details about this zero-day MoveIT vulnerability, find out who is at risk, and learn how to detect and protect against this cybersecurity threat. Shodan search engine results for internet-facing MOVEit instances. Image: Shodan The Cybersecurity & Infrastructure Security Agency has issued an alert about the use of a zero-day vulnerability in MOVEit software. Exploitation of this zero-day SQL injection vulnerability in the wild has been observed, mainly targeting North America and including attacks from the ransomware threat actor Lace Tempest. MOVEit is managed file transfer software from Progress (formerly Ipswitch), an application development and digital experience technologies provider. According to the MOVEit site, the application is being used by thousands of organizations around the world. Jump to: * What is the zero-day MOVEit Transfer vulnerability? * Exploitation in the wild, particularly in North America * How to detect threat exploitation * How to mitigate this risk * Additional security best practices WHAT IS THE ZERO-DAY MOVEIT TRANSFER VULNERABILITY? This zero-day MOVEit Transfer vulnerability, as it was known to attackers before being patched, is a SQL injection vulnerability, CVE-2023-34362. It affects all versions of MOVEit Transfer according to its development company Progress; it doesn’t affect MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics and MOVEit Freely. This zero-day vulnerability allows an unauthenticated attacker to get access to MOVEit Transfer’s database, possibly allowing the attacker to execute SQL statements altering or deleting the database elements. SEE: SQL injection attacks: What IT pros need to know (TechRepublic Premium) EXPLOITATION IN THE WILD, PARTICULARLY IN NORTH AMERICA A blog post from Rapid7 indicates this cybersecurity company has observed exploitation of the CVE-2023-34362 zero-day vulnerability in the wild across multiple customer environments. According to Rapid7, a wide range of organizations have been affected. The active exploitation of the vulnerability by cybercriminals started at least four days prior to the release of the security advisory from Progress. SEE: Zero-day exploits: What IT pros need to know (TechRepublic) More than 2,500 MOVEit Transfer instances are exposed to the internet, with more than 1,800 of those instances being in the U.S., according to the Shodan search engine (Figure A). Figure A Shodan search engine results for internet-facing MOVEit instances. Image: Shodan Rapid7 observed the same webshell name in multiple customer environments. On compromised systems, the webshell named human2.aspx is located in the wwwroot folder of the MOVEit install folder. The name of the file has probably been chosen to stay unnoticed, as a legitimate file named human.aspx is the native file used by MOVEit Transfer for its web interface. The webshell’s access is protected by a password. Attempts to connect to the webshell without the proper password results in the malicious code providing a 404 Not Found error. The use of the same name on multiple servers might indicate automated exploitation, according to Rapid7. It seems the targeting is more opportunist than highly targeted. The initial compromise might lead to ransomware exploitation, as file transfer solutions have been popular targets for attackers including ransomware threat actors. Microsoft has confirmed the exploitation of this vulnerability via Twitter, attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer zero-day vulnerability to Lace Tempest, a threat actor known for ransomware operations and running the Clop extortion site. This threat actor exploited a vulnerability in another File Transfer Manager software, GoAnywhere, earlier this year. HOW TO DETECT THREAT EXPLOITATION System administrators should check for the presence of a human2.aspx file in the wwwroot folder of their MOVEit Transfer software. Log files should also be reviewed from at least a full month earlier. Unexpected downloads/uploads of files from unknown IP addresses should be carefully reviewed. MUST-READ SECURITY COVERAGE * Google offers certificate in cybersecurity, no dorm room required * The top 6 enterprise VPN solutions to use in 2023 * EY survey: Tech leaders to invest in AI, 5G, cybersecurity, big data, metaverse * Electronic data retention policy (TechRepublic Premium) Web server log files should be checked for any events that would include a GET request to a human2.aspx file, as well as large numbers of log entries or entries with large data sizes, which might indicate unexpected file downloads. If applicable, Azure log files should be reviewed for unauthorized access to Azure Blob Storage keys. According to Rapid7, data exfiltration can also be identified. In the case where administrators of the MOVEit Transfer software enabled logging, a Windows Event File C:\Windows\System32\winevt\Logs\MOVEit.evtx provides a lot of information, including file name, file path, file size, IP address and username performing the download. While logging isn’t enabled by default, it’s common for administrators to enable it post-installation. Data exfiltration can then be seen in that event log file. Audit logs are stored in the MOVEit database and can be queried directly or through the software’s built-in reporting functionality. Administrators can use those logs to generate a report of file download actions run via the software, letting them see potential data exfiltration. HOW TO MITIGATE THIS RISK The Progress provider strongly recommends immediately applying the patch it released. If not applicable immediately, organizations should disable all HTTP and HTTPS traffic to the MOVEit Transfer environment to avoid attackers connecting to it. While legitimate users won’t be able to connect to it anymore, SFTP and FTP protocols will continue working as usual, and administrators will still be able to connect to it via Remote Desktop Protocol. If the human2.aspx file or any suspicious .cmdline script is found, it should be deleted. Any newly created or unknown file in the MOVEit folder should be closely analyzed; in addition, .cmdline files in any temporary folder of Windows should be examined. Any unauthorized user account should be removed. Once the patch or the blocking of HTTP and HTTPS is done, administrators should run detections as mentioned earlier and carefully look for indications of compromise. If evidence is found, the service account credentials should be reset. Continuous monitoring should be applied for any of the Indicators of Compromises provided by Progress. ADDITIONAL SECURITY BEST PRACTICES While not specific to the CVE-2023-34362 vulnerability, Progress indicates that administrators should allow multifactor authentication on MOVEit Transfer. In addition, remote access policies should be updated to only allow known and trusted IP addresses. Finally, user accounts should be carefully checked to only allow authorized accounts to access the service. Disclosure: I work for Trend Micro, but the views expressed in this article are mine. SUBSCRIBE TO THE CYBERSECURITY INSIDER NEWSLETTER Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays Sign up today Cedric Pernet Published: June 6, 2023, 8:48 AM EDT Modified: June 12, 2023, 3:23 PM EDT See more Security ALSO SEE * For credentials, these are the new Seven Commandments for zero trust (TechRepublic) * The 10 best antivirus products you should consider for your business (TechRepublic) * How to recruit and hire a Security Analyst (TechRepublic Premium) * Zero-Day Danger: A Survey of Zero-Day Attacks and What They Say About the Traditional Security Model (FireEye white paper) * Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard) WHITE PAPERS, WEBCASTS, AND DOWNLOADS MICROSOFT 365 SERVICES USAGE POLICY Tools & Templates from TechRepublic Premium View This Now CLOUD STORAGE MANAGEMENT CHECKLIST Tools & Templates from TechRepublic Premium View This Now LIFETIME LICENSE: MICROSOFT OFFICE PRO FOR WINDOWS Downloads from TechRepublic Academy Download Now LIFETIME LICENSE: MICROSOFT OFFICE HOME & BUSINESS FOR MAC Tools & Templates from TechRepublic Academy Learn More THE 2023 COMPLETE LINUX PROGRAMMING CERTIFICATION BUNDLE Training from TechRepublic Academy Get It Today * * * * * ACCOUNT INFORMATION TechRepublic close modal SHARE WITH YOUR FRIENDS Zero-day MOVEit Transfer vulnerability exploited in the wild, heavily targeting North America Check out this article I found on TechRepublic. Your email has been sent Share: Zero-day MOVEit Transfer vulnerability exploited in the wild, heavily targeting North America By Cedric Pernet Cedric Pernet is a threat expert with a strong focus on cybercrime and cyberespionage. He currently works at Trend Micro as a senior threat researcher. * ACCOUNT INFORMATION TechRepublic close modal CONTACT CEDRIC PERNET Your message has been sent * | * See all of Cedric's content * Big Data * International * Microsoft * Security * Software EDITOR'S PICKS * Image: Rawpixel/Adobe Stock TechRepublic Premium TECHREPUBLIC PREMIUM EDITORIAL CALENDAR: IT POLICIES, CHECKLISTS, TOOLKITS AND RESEARCH FOR DOWNLOAD TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project. TechRepublic Staff Published: June 1, 2023, 4:30 AM EDT Modified: June 2, 2023, 3:20 AM EDT Read More See more TechRepublic Premium * Image: irissca/Adobe Stock Artificial Intelligence CHATGPT CHEAT SHEET: COMPLETE GUIDE FOR 2023 Get up and running with ChatGPT with this comprehensive cheat sheet. Learn everything from how to sign up for free to enterprise use cases, and start using ChatGPT quickly and effectively. Megan Crouse Published: June 13, 2023, 3:15 PM EDT Modified: June 13, 2023, 4:20 PM EDT Read More See more Artificial Intelligence * Image: Karolina Grabowska/Pexels Payroll THE TOP 8 OPEN SOURCE PAYROLL SOFTWARE CHOICES FOR 2023 Get the most out of your payroll budget with these free, open source payroll software options. We've evaluated the top eight options, giving you the information you need to make the right choice. Devin Partida Published: May 1, 2023, 11:53 AM EDT Modified: May 9, 2023, 3:11 PM EDT Read More See more Payroll * Source: ArtemisDiana/Adobe Stock Developer TOP CERTIFICATIONS FOR DEVOPS ENGINEERS We highlight some of the best certifications for DevOps engineers. Learn more about DevOps certifications. Enrique Corrales Published: April 28, 2023, 6:30 PM EDT Modified: May 2, 2023, 1:12 PM EDT Read More See more Developer * Image: Nuthawut/Adobe Stock Software THE 10 BEST PROJECT MANAGEMENT SOFTWARE AND TOOLS FOR 2023 With so many project management software options to choose from, it can seem daunting to find the right one for your projects or company. We’ve narrowed them down to these ten. Collins Ayuya Published: April 26, 2023, 3:03 PM EDT Modified: May 18, 2023, 12:00 PM EDT Read More See more Software * Lede image created by Mark Kaelin from public domain images. Software MICROSOFT POWERTOYS 0.69.0: A BREAKDOWN OF THE NEW REGISTRY PREVIEW APP This Microsoft PowerToys app simplifies the process of visualizing and modifying the contents of the standard Windows Registry file. Mark W. Kaelin Published: May 1, 2023, 4:42 PM EDT Modified: May 1, 2023, 4:42 PM EDT Read More See more Software SUBSCRIBE TO THE CYBERSECURITY INSIDER NEWSLETTER Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays Sign up today TECHREPUBLIC PREMIUM * TechRepublic Premium HIRING KIT: MAINFRAME SYSTEMS PROGRAMMER Recruiting a mainframe systems programmer candidate with the right combination of technical and industry experience will require a comprehensive screening process. This hiring kit from TechRepublic Premium provides a flexible framework your business can use to find the right person for the job. From the hiring kit: INTRODUCTION In general, mainframe systems programmers take responsibility ... Downloads Published: June 13, 2023, 4:00 PM EDT Modified: June 14, 2023, 8:07 AM EDT Read More See more TechRepublic Premium * TechRepublic Premium HIRING KIT: COMPUTER HARDWARE ENGINEER Computer hardware engineers design and create the physical components that make computers, smartphones, sensors and other digital devices run. Because of the meticulous nature of their work, the best candidates must have an inherent ability to focus on the task at hand. This hiring kit from TechRepublic Premium provides a workable framework you can use ... Downloads Published: June 13, 2023, 4:00 PM EDT Modified: June 14, 2023, 8:15 AM EDT Read More See more TechRepublic Premium * TechRepublic Premium HIRING KIT: CRYPTOGRAPHER A cryptographer uses their expertise in mathematics and computer science to develop algorithms, ciphers and other encryption systems to protect sensitive data. It can be a difficult position to fill. This hiring kit from TechRepublic Premium provides a workable framework you can use to find the best cryptographer candidate for your business. It includes a ... Downloads Published: June 13, 2023, 4:00 PM EDT Modified: June 14, 2023, 8:26 AM EDT Read More See more TechRepublic Premium * TechRepublic Premium EQUIPMENT REASSIGNMENT CHECKLIST The reassignment of existing equipment takes place when employees leave the organization or receive new computers, mobile devices, printers and other assets. It is essential to follow strict guidelines for equipment reassignment so that company investments, data and privacy are protected. The following checklist from TechRepublic Premium will help ensure that all the appropriate steps ... Downloads Published: June 12, 2023, 4:00 PM EDT Modified: June 13, 2023, 8:45 AM EDT Read More See more TechRepublic Premium SERVICES * About Us * Newsletters * RSS Feeds * Site Map * Site Help & Feedback * FAQ * Advertise * Do Not Sell My Information * Careers EXPLORE * Downloads * TechRepublic Forums * Meet the Team * TechRepublic Academy * TechRepublic Premium * Resource Library * Photos * Videos * TechRepublic * TechRepublic on Twitter * TechRepublic on Facebook * TechRepublic on LinkedIn * TechRepublic on Flipboard © 2023 TechnologyAdvice. All rights reserved. * Privacy Policy * Terms of Use * Property of TechnologyAdvice