TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: Cybersecurity research company Rapid7 issued a report (weblink below) regarding the active exploitation of a critical, zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in multiple of its customers’ environments. In particular, Rapid7 noted that it observed many instances of exploitation of the vulnerability in multiple customer environments in conjunction with the use of webshell X-siLock-Comment, which may indicate automated exploitation. Rapid7 also disclosed that “as of June 1, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involved the presence of the file human2.aspx (the native aspx file used by MOVEit for the web interface) in the wwwroot folder of the MOVEit install directory. Progress Software, the parent company of MOVEit issued its own advisory (weblink below) in which the company requests customers check for indications of unauthorized access in the past 30 days. This advisory suggests that the vulnerability may have been exploited prior to its initial disclosure. Additionally, CISA issued a statement urging users and organizations to review the MOVEit advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity.
Rapid7 Report: hxxps://www.rapid7[.]com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
Progress Software Advisory: hxxps://community.progress[.]com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
NYSIC CAU Analyst Note: The attack on MOVEit represents the latest event involving a popular file transfer tool used by large organizations this year. In February, ransomware groups exploited a vulnerability affecting Fortra’s GoAnywhere MFT file-transfer product. The governments of Toronto and Tasmania were affected by the incident alongside corporate giants like Proctor & Gamble, Virgin, and Hitachi. The ransomware group behind that exploitation, the Cl0p gang, was previously behind another widespread attack on another file transfer tool in 2021. The malicious actors behind Cl0p also targeted the Accellion file transfer tool to steal data from some of the biggest companies and schools in the world, including the University of Colorado, Kroger, Morgan Stanley and Shell.
To aid in threat mitigation and network a defense, a YARA rule to detect IOCs can be found on GitHub:
hxxps://github[.]com/AhmetPayaslioglu/YaraRules/blob/main/MOVEit_Transfer_Critical_Vulnerability.yara
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – County Information Contacts
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.