Ordr Recognized in Gartner Market Guide for CPS Protection Platform Read more here!

Coauthors: Srinivas Loke, Gowri Sunder Ravi

Progress Software, which makes the MOVEit Transfer app, first disclosed a vulnerability for the MOVEit application on May 31st, 2023. The MOVEit application is a managed file transfer software produced by IPSwitch (acquired by Progress Software Corporation). It encrypts and uses secure FTP to transfer data with automation. MOVEit is used by thousands of enterprises, including 1700 software companies and 3.5 million developers. MOVEit is also used significantly within the healthcare industry, with HHS recently issuing an alert on this.

1. What Are The MOVEit Vulnerabilities?

CVE-2023-34362, with a CVSS score of 9. 8, is a critical SQL injection vulnerability affecting MOVEit Transfer and MOVEit Cloud. The vulnerability allows unauthenticated attackers to control a MOVEit installation completely, potentially leading to data alteration or theft, malicious software installation, and server configuration changes. The MOVEit Transfer versions affected are:

  • before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5),
  • and 2023.0.1 (15.0.1)

Following this disclosure, two additional vulnerabilities were disclosed for a total of three to date:

2. Has this vulnerability been exploited?

Exploits of the vulnerability have been discovered in the wild, and have been attributed to the Cl0p ransomware group (also known as FIN11 or Lace Tempest). It has been reported that attacks against this vulnerability were “zero-day attacks” and may have begun as early as May 27, 2023, before a patch was available or the vulnerability was publicly disclosed or discussed.

3. Recommendations by Progress Software

  • Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment
    • More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
  • Review, Delete, and Reset
      • Delete Unauthorized Files and User Accounts (Particularly looks for an event associated with human2.aspx)
      • Delete any instances of the human2: aspx (or any files with the human2 prefix) and .cmdline script files.
      • On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
      • On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
      • On the MOVEit Transfer server, look for new APP_WEB_[random].dll files created in the C:\Windows\Microsoft. NET\Framework64\[version]\Temporary ASP .NET Files\root\[random]\[random]\ directory:
      • Stop IIS (iisreset /stop)
      • Delete all APP_WEB_[random].dll files located in C:\Windows\Microsoft. NET\Framework64\[version]\Temporary ASP. NET Files\root\[random]\[random]\
      • Start IIS (iisreset /start). Note:The next time the web application is accessed, it will be rebuilt correctly. It is normal to have 1 APP_WEB_[random].dll file located in this directory.
  • Apply the Patch

4. How Ordr Can Help


Vulnerability mapping of impacted devices:

    • Ordr provides application mapping via its Software inventory Collector to detect MOVEit applications in the network and uses its Vulnerability Matching engine to identify whether the organization is impacted:
    • Using its Software Inventory Collector, Ordr provides visibility into all the apps installed on all enterprise or health system devices, workstations, and servers.
    • Ordr maintains a list of all the software packages installed on the endpoints with version numbers and a time stamp on when it was installed/last updated etc.,
    • Ordr vulnerability mapping engine assigns vulnerabilities based on the SW version collected from the endpoint. The installed application list is updated daily, and vulnerabilities are recalculated based on the new info.

graphic of device impacted by MOVEit

 Figure 1: Details of a device affected by this vulnerability   


Real-time detection of exploits using IDS, behavioral violation, and threat correlation:

  • Ordr has an IDS engine that can detect this specific vulnerability using analysis of packets transacting over the wire.
  • Ordr IDS signatures have been updated to detect exploits of the MOVEit vulnerability

IDS engine

Figure 2: Ordr IDS engine detecting the session to prohibited IPs associated with MOVEIt

Track communications to compromised IP/URLs:

  • In real-time, Ordr’s external IP/IOC tracks every communication to prohibited IP/URLs. Ordr uses a cloud-based threat intelligence platform where the list is continuously updated, and all communications are marked accordingly in the Ordr Security Threat Card.
  • Ordr scoured the internet to establish a list of MOVEit IPs/URLs and tracks all communications associated with this vulnerability with a “group” within the Ordr Traffic Analysis Tool outer ring. Ordr has named it “MOVEIT” in the classification analysis. All the lookups done using this method are retrospective in nature and map every communication to these IoCs.
  • Users can easily track and tag every device communicating with malicious IPs for remediation purposes.

traffic analysis

Figure 3: Traffic analysis based on communication to IPs associated with groups exploiting MOVEit

Baseline communications to surface anomalies:

  • Ordr also provides the capability to baseline all the communications based on profile, location, business function, or any customized entity using our AI/ML techniques. Ordr can trigger anomalies based on any deviations observed for this traffic. Ordr recommends using our behavioral anomaly and threat detection capabilities to identify anomalies while performing any incident response or remediation.


Figure 4: Ordr Flow Genome to baseline and map communications for MOVEit

  • Ordr adjusts the risk score of the device based on the events detected for the device along with the asset criticality. For example, Ordr assigns a higher risk score for devices with vulnerability and exploits vs. devices only with vulnerability. All of the risk scores are normalized based on the criticality.


  • M1051  (ATT&CK) – Update Software
    • Patch immediately. Refer to the Progress Software Knowledge Base above and apply the fixed versions of MOVEit Transfer.
  • M1040 https://attack.mitre.org/mitigations/M1040(ATT&CK) – Behavior Protection on Endpoint – Rapid threat containment if a breach is detected.
    • Ordr tracks every device’s connectivity and keeps real-time data on where the device is connected to in the enterprise network – wired switch, wireless AP, VPN, and so on.
    • When an alarm of a breach comes into the SOC team, the Ordr platform provides a one-click action to immediately get the device isolated or segmented into a quarantine VLAN.
    • Ordr supports a variety of threat containment actions, as shown below: 

threat containment

Figure 5: Ordr Mitigation Actions For MOVEit

  • M1037(ATT&CK) Proactive firewall policies:
    • Disabling HTTP (port 80) and HTTPS traffic (port 443) to MOVEit Transfer in the interim is recommended to prevent exploitation.
    • Create a policy profile with all the MOVEit servers, then build a firewall policy to block ports 80 and 443 inbounds from an external address.
    • Ordr supports integration with multiple industry-leading firewall vendors. Below is a sample screenshot of one vendor. 

policy profile

device list

automatic FW policies

Figure 5: Create a policy profile for MOVEit servers and create policies on your firewalls (Check Point example)

  • M1030(ATT&CK) – Network Segmentation:
    • Ordr’s segmentation policies can protect the mission-critical devices
    • Even if a breach happens,  mission-critical devices, for example, medical or devices in ER/OR, can be protected using Ordr policies. Only specific devices over certain protocols can communicate with these mission-critical devices.
    • Ordr supports integration with multiple industry-leading NAC vendors. 


Figure 6: Create Zero Trust segmentation policies automatically, pushed on your NAC (Cisco ISE example)


6.     Ordr Customer Updates

Ordr has prepared the following software configuration rules package (no software change required) and is working with customers on pushing them to their separate instances with utmost priority:

  1. Ordr Vulnerability Database to match against devices vulnerable to MOVEit.
  2. Ordr IDS engine to detect exploits related to MOVEit vulnerability.
  3. IoCs associated with MOVEit vulnerabilities are constantly updated and all the existing and new communications are mapped against these IoCs and are updated in the Ordr’s traffic analytics diagrams.
  4. All the indicators of compromise will be flagged on the Ordr’s security page and added to the alerts. Ordr constantly streams to the SOC/SIEM and sends emails to the admin if configured.

7.     Helpful Links



(Updated on November 10th with new Ordr capabilities) 

On October 26th, OpenSSL Project a critical vulnerability associated with OpenSSL versions 3.0 and higher. The version released on November 1st — OpenSSL version 3.0.7 —addresses this vulnerability.

  • CVE-2022-3602 is an arbitrary 4-byte stack buffer overflow that could trigger crashes or lead to remote code execution (RCE).
  • CVE-2022-3786 can be exploited by attackers via malicious email addresses to trigger a denial-of-service state via a buffer overflow.
  • These vulnerabilities were downgraded from critical to as high (CVSS score 8.8 from 9.0) on November 1st.

Here is what you need to know about this critical vulnerability:

What is OpenSSL? 

OpenSSL is a widely used open-source cryptography utility implemented to keep secure the web traffic exchange between a client and server. It is used to generate public and private keys, install SSL/TLS certificates, verify certificate information, and provide encryption.

Most web servers across the internet and within Intranets use SSL certificates to secure connections and the website being browsed. These certificates are traditionally generated by OpenSSL.

How concerned should we be about this vulnerability? 

OpenSSL can be misused if the vulnerable version is in use. The good news is that this vulnerability impacts a very specific version of OpenSSL and patching quickly will address any associated risks.

A flaw in OpenSSL has previously affected businesses. In April 2014, OpenSSL’s Heartbleed flaw was discovered. Numerous web servers, including those running popular websites like Yahoo, included it. Security teams rushed to apply updates because the vulnerability was simple to exploit.

How is this OpenSSL vulnerability exploited? 

Both CVE-2022-3602 and CVE-2022-3786 vulnerabilities are prone to buffer overflow attacks that can perform RCE (Remote Code Execution) or expose contents of the memory that contains private keys or proprietary information.

The chances of these vulnerabilities getting abused are low because one of the conditions is a malformed certificate signed by a trusted CA.

The issue lies in the verification process of certificates that OpenSSL performs for certificate-based authentication. The exploitation of the vulnerabilities could allow an attacker to launch a Denial of Service (DoS) or even a Remote Code Execution attack.

Patches for the two weaknesses found in OpenSSL v3.0.0 to v3.06 have now been released.

Which OpenSSL versions are vulnerable? 

  • OpenSSL versions 3.0 and above are vulnerable.
  • OpenSSL 3.0.0, the first stable version of OpenSSL 3.0, was released in September 2021, about one year ago. Any older operating systems prior to 3.0.0 are not impacted by this vulnerability.
  • Open SSL version 3.0.0 to 3.0.6 are affected by this vulnerability.
  • OpenSSL version 3.0.7 includes the fix for the critical vulnerability.

CRITICAL Severity: This affects common configurations, which are also likely to be exploitable. Among these are significant disclosures of server memory (potentially revealing user information), vulnerabilities that are easily exploitable to compromise server private keys remotely, or situations where remote code execution is possible. We will keep these issues private and release a new version of all supported versions as soon as possible.

HIGH Severity: This includes issues that are of a lower risk than critical, perhaps due to affecting fewer common configurations or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month, where this is something under our control.

Is the Ordr platform impacted by the OpenSSL vulnerability?   

Ordr has reviewed our usage of OpenSSL. This vulnerability does not impact Ordr as we do not use the impacted version.

How Ordr can help? 

Ordr has added two new capabilities:

  1. A new scanner that will detect versions of the OpenSSL that are vulnerable.

  1. New IPS signatures that can detect exploits of this OpenSSL vulnerability

New Ordr Scanner to Detect Vulnerable Versions of OpenSSL  

  • Ordr scanner uses the following command-line Options:
  • As servers have an open HTTP port; A curl command is used to connect to them to find the SSL version
  • In cases where clients do not usually have web services, the “ssh” command can be used instead.
  • As for a detection method, we use HTTPS headers, SSH headers, and credentialed scans to get the information.
  • Some scanners use only authenticated approach that requires full credentials, but Ordr uses an unauthenticated way to get information about Open SSL versions.
  • Ordr scanner also uses tools like Nmap to find open ports as a precursor before finding out about the OpenSSL version.
  • Example screenshots of detecting Open SSL that is built into the Ordr scanner.

Sample SSL command 

Sample SSH command 

Packet Parser with IDS Signatures to Detect Exploit Attempts 

  • While the Ordr scanner detects all the machines that have this vulnerability, the next step is to see if any exploits are exploting this vulnerability.
  • There is a parser on the wire that we need to enhance with rules to get versions of TLS, certs, and cryptography.
  • Ordr has an intrusion detection engine that scans for exploits of this vulnerability with the correct signatures. For example, given below is a signature that would help identify the exploit of this vulnerability.
  • CVS-2022-3602 Detection – Detection of this pattern was done using IDS Signatures.
  • A buffer overflow can be triggered by sending an X.509 certificate with a specially crafted email address in the “id-on-SmtpUTF8Mailbox” field (OID, resulting in a crash (Denial of Service – DoS) or potentially remote code execution on a vulnerable client or server. Potential opportunities for exploitation can occur if a server requests authentication information after a malicious client connects or if a client connects to a malicious server, which would then make the client vulnerable.
  • “OpenSSL x509 crafted email address buffer overflow attempt” is detected with the following signature.
  • In the event that there is a malicious activity involving OpenSSL, Ordr has pushed the latest signature to all its customers, and the alarms will be raised.

Figure 1: Ordr Open SSL Scan Launching Screen

Table Description automatically generated

Figure 2: Open SSL Jobs Status with Reports

Graphical user interface Description automatically generated with low confidence

Figure 3: Scanning Job List

Graphical user interface, text Description automatically generated

Figure 4: Latest Security Threat

Graphical user interface, text Description automatically generated

Figure 5: Incident Summary