To best serve our MOVEit customers and provide the information they need to protect their environments, we will continue to be as transparent as possible regarding the recently discovered vulnerability within MOVEit Transfer and MOVEit Cloud. This update provides further details about the steps we are taking to promote the security of these products and the urgent actions customers should take to address this issue.
Our customers have been, and will always be, our top priority. Since this vulnerability was discovered, we have been working around the clock to protect our customers and to provide critical information in a timely manner. We have been providing ongoing updates through our knowledge base articles, customer emails and one-on-one support, doing everything we can to put the information customers need in their hands, and to make sure the software they use to run their business is as secure as possible.
When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers of the issue and provided immediate mitigations steps. We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit. Our third-party forensics company has conducted testing of the patch against a controlled unpatched instance of MOVEit Transfer. They have concluded that the patch addresses all elements needed to exploit the vulnerability and have attested to that fact.
If MOVEit Transfer customers have not yet applied this patch, it is essential that they do so as soon as possible by following the steps outlined in the knowledge base article. We urge customers to make sure they only download the patch from our knowledge base and not from any third-party sites.
Partnering with Industry Experts
The Progress MOVEit team appreciates the collaboration of the security community and our partners in assisting with the identification and investigation of this issue as we gather the information needed to ensure we take all appropriate response measures. We would like to give special thanks to CISA, Crowdstrike, Mandiant, Microsoft and Rapid7 for their assistance. We are committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on uncovering vulnerabilities in widely used software products.
Microsoft’s Threat Intelligence team has been partnering with us in our investigation. They have shared their analysis that attributes exploit of this vulnerability to a threat actor they track as Lace Tempest, a sophisticated cybercriminal group with overlaps to FIN11 and TA505. We have not yet confirmed that information independently.
As we continue to take steps to help customers protect their environments, it is important to note that, based on our investigation to-date, this vulnerability is limited to only MOVEit Transfer and MOVEit Cloud. At this time, there is no evidence that any other Progress software products were impacted.
We strongly encourage MOVEit Transfer and MOVEit Cloud customers to apply the guidance recommended below with urgency and take the necessary steps to conduct investigations for unauthorized access and other unusual download activity within their environments.
For MOVEit Transfer customers: Apply up-to-date patches, follow our recommended mitigation guidance and monitor for known Indicators of Compromise (IoC), which can be found on the MOVEit Transfer Critical Vulnerability Knowledge Base documentation. We are urging customers to use only the patch links included in our documentation. Do not use third-party resources.
For MOVEit Cloud customers: MOVEit Cloud has been patched. We encourage customers to review their audit logs for signs of unexpected or unusual file downloads, and continue to review access logs and systems logging, together with our systems protection software logs. Please refer to the MOVEit Cloud Vulnerability Knowledge Base documentation for up-to-date step-by-step guidance.
The information contained in this document is based on best available knowledge as of 8:30 Eastern Time on June 5, 2023 and may change.