New MOVEit Transfer zero-day mass-exploited in data theft attacks

Hackers are actively exploiting a zero-day vulnerability in the MOVEit Transfer file transfer software to steal data from organizations.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch, a subsidiary of US-based Progress Software Corporation, that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.

Progress MOVEit Transfer is offered as an on-premise solution managed by the customer and a cloud SaaS platform managed by the developer.

According to Progress, MOVEit is used by thousands of enterprises, including Chase, Disney, GEICO, and MLB, as well as 1,700 software companies and 3.5 million developers.

Zero-day mass-exploited to steal data

BleepingComputer has learned that threat actors have been exploiting a zero-day in the MOVEit MFT software to perform mass downloading of data from organizations.

It is unclear when the exploitation occurred and which threat actors are behind the attacks, but BleepingComputer has been told that numerous organizations have been breached and data stolen.

Yesterday, Progress released a security advisory warning customers of a "Critical" vulnerability in MOVEit MFT, offering mitigations while a patch is tested.

"Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment," reads a security advisory from Progress.

"If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch."

As a patch is unavailable while it is being tested, Progress has released mitigations that MOVEit admins can use to secure their installations.

To prevent exploitation, the developers warn admins to block external traffic to ports 80 and 445 on the MOVEit server.

Progress warns that blocking these ports will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Outlook MOVEit plugin from working.

However, SFTP and FTP/s protocols can continue to be used to transfer files.

The developers also warn admins to check the 'c:\MOVEit Transfer\wwwroot\' folder for unexpected files, including backups or large file downloads.

Based on the information learned by BleepingComputer, large downloads or unexpected backups are likely indicators that the threat actors have stolen data or are in the process of doing so.

No information about the zero-day vulnerability has been released. However, based on the ports blocked and the specified location to check for unusual files, the flaw is likely a web-facing vulnerability.

Until a patch is released, it is strongly advised that organizations shut down any MOVEit Transfers and perform a thorough investigation for compromise before applying the patch and bringing the server live again.

Extortion has not begun

While Progress has not stated that the vulnerability is being actively exploited, BleepingComputer is aware of numerous organizations that have had data stolen using the zero-day.

At this time, the threat actors have not begun extorting victims, so it is unclear who is behind the attacks.

However, the exploitation is very similar to the January 2023 mass exploitation of a GoAnywhere MFT zero-day and the December 2020 zero-day exploitation of Accellion FTA servers.

Both of these products are managed file transfer platforms that were heavily exploited by the Clop ransomware gang to steal data and extort organizations.

BleepingComputer has contacted Progress to learn more about the attacks, but a reply was not immediately available.