TLP:WHITE
On June 1, 2023, NHS published a critical vulnerability bulletin focused on the Progress MOVEit File Transfer (MFT) product.
Progress discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.
BleepingComputer reported the vulnerability is actively being exploited by threat actors.
As a patch is currently unavailable, Progress has released mitigations that MOVEit admins can use to secure their installations.
Security recommendations and guidance from Progress to mitigate the vulnerability are available here.
If you are a MOVEit Transfer customer, it is extremely important that you take immediate action to help protect your MOVEit Transfer environment, while the Progress team produces a patch.
The vulnerability in MOVEit Transfer is especially concerning as the vulnerability could be used in the exfiltration of large datasets prior to extortion by threat actors seeking to monetize the exploit.
To help prevent unauthorized access to your MOVEit Transfer environment, Progress strongly recommends that you immediately apply the following mitigation measures.
Step 1:
Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. More specifically:
- Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. If you require additional
support, please immediately contact Progress Technical Support by opening a case via https://community. progress.com/s/supportlink- landing.
- It is important to note, that until HTTP and HTTPS traffic is enabled again:
- Users will not be able to log on to the MOVEit Transfer web UI
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work
- REST, Java and .NET APIs will not work
- MOVEit Transfer add-in for Outlook will not work
- Please note: SFTP and FTP/s protocols will continue to work as normal
As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. For more information on localhost connections, please refer to MOVEit Transfer Help: https://docs.progress.
Step 2:
Check for the following potential indicators of unauthorized access over at least the past 30 days:
- Creation of unexpected files in the c:MOVEit Transferwwwroot folder on all your MOVEit Transfer instances (including back-ups)
- Unexpected and/or large file downloads
If you do notice any of the indicators noted above, please immediately contact your security and IT teams and open a ticket with Progress Technical Support at: https://community.
Step 3:
Patches for all supported MOVEit Transfer versions are being tested and links will be made available below as they are ready. Supported versions are listed at the following link: https://community.
Affected Version
Fixed Version
Documentation
MOVEit Transfer 2023.0.0
MOVEit 2023 Upgrade Documentation
MOVEit Transfer 2022.1.x
MOVEit 2022 Upgrade Documentation
MOVEit Transfer 2022.0.x
MOVEit Transfer 2021.1.x
MOVEit 2021 Upgrade Documentation
Reference(s)
NHS, Help Net Security, Progress, Bleeping Computer
Sources
https://digital.nhs.uk/cyber-
https://www.helpnetsecurity.
https://community.progress.
Alert ID 2bfc1d4b
- Related Resources & News
- Leveraging ISO 81001-5-1 Amid Medical Device Procurement
- Mitigating risk as healthcare supply chain attacks prevail
- Enhancing Cybersecurity in Rural Hospitals
- Health-ISAC Hacking Healthcare 11-15-2024
- Cyber Incident Response: Playbook for Medical Product Makers
- Feds Warn of Godzilla Webshell Threats to Health Sector
- Trump’s Return: Impact on Health Sector Cyber, HIPAA Regs
- Health-ISAC Hacking Healthcare 11-7-2024
- Protecting the Healthcare Supply Chain Against Russian Ransomware Attacks
- All hospitals should be concerned about cyberattacks. Here’s why