Press Center

Malware and antivirus software

News

Navigating the MOVEit Transfer vulnerabilities

Created: 2023-06-26 06:25:36

Last week, Progress Software released yet another patch for the MOVEit file transfer software to address the third in a series of recently discovered vulnerabilities. If exploited, these vulnerabilities allow an unauthenticated attacker to gain unauthorized access to a MOVEit Transfer database. MOVEit users are urged to apply the latest patch. Until they have done so, software users should follow the mitigation steps provided by the MOVEit team and prepare to update as soon as possible. Likewise, organizations should also investigate the indicators of compromise published by CISA and Progress Software to determine whether their networks have been potentially compromised. ESET security products detect the webshell payloads seen in the attacks as ASP/Webshell.LZ. Hence ESET PROTECT customers can search for this detection name as a way of checking whether they have been attacked:

A search result of “No results found” means you have likely not been attacked. However, any hits from the search should trigger a review of the detections on the specific computers/servers where the detections occurred. ESET Inspect customers can see more detail on the actions that occurred prior to the detection of the webshells.

If you have purchased an ESET security service, such as ESET Detection and Response Advanced, make sure to request a threat hunt by one of our security specialists. If you have ESET Detection and Response Ultimate, then our security specialists have likely already performed a hunt in your environment and are actively monitoring for any threat activity related to this attack.

If the installed ESET protection detects ASP/Webshell.LZ within the environment, the customer will want to:
- Verify that they have applied patches as per Progress MOVEit’s advisory
- Review MOVEit IIS logs for known indicators of compromise showing the use of known malicious human2.aspx. This will supply them with dates of the first attempted uses of the malicious webshell, and IP Addresses used by attackers to use the webshell.
  o    GET /human2.aspx

  • human2.aspx = malicious and does not exist on a default install of MOVEit
  • human.aspx = safe and exists on a default install of MOVEit

- Review MOVEit AUDIT logs to look for exfiltrated data using MOVEit’s built in reporting

  o    Create a custom report inside of MOVEit to generate a report of all downloaded files from May/June 2023.

  • Fields: *
  • Tables: log
  • Criteria: Action = 'file_download' AND (LogTime LIKE '2023-05%' OR LogTime LIKE '2023-06%')

  o    Compare this report to the dates/timestamps for the use of the webshell identified in IIS logs to find likely exfiltrated files.




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.