Exploitation of Critical MOVEit Transfer Vulnerability Observed By Rapid7

Background

On Wednesday 31st of May 2023 Progress software had published an advisory warning of a critical SQL injection vulnerability in the MOVEit Transfer solution.

This is a critical flaw that allows a threat actor to gain unauthorized access to the software’s database. The following was noted in the advisory:

“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements…exploitation of unpatched systems can occur via HTTP or HTTPS.”

CVE-2023-34362 was assigned to this zero day on the 2nd of June 2023. The worrying thing is that threat actors were already exploiting this vulnerability 4 days earlier before the advisory had been issued by Progress Software.

Progress Software are asking any MOVEit customers to check for any indicators of compromise for at least the last 30 days.

With such wide spread attention on CVE-2023-34362, another new patch was released on 9th June 2023 for CVE-2023-35036, which is a 2nd SQL injection vulnerability. It was observed that the moveitisapi.dll file was one of the files changed. The Rapid7 research team has confirmed that the modification of this file which plays a role in the original attack chain.

With CVE-2023-35036 all versions of the MOVEit Transfer software are affected, but it is not clear as to what versions are currently being exploited in the wild.

Thursday June 15th 2023, yet another vulnerability was disclosed by Progress Software and has been assigned CVE-2023-35708.

At the end of May 2023, it is estimated that there are around 2,500 instances that have MOVEit Transfer exposed to the internet, with most of them being in the US.

When Rapid7 previously looked into similar SQL injection to Remote Code Execution (RCE) flaws in network edge systems, it was observed that such vulnerabilities can grant threat actors with an initial foothold to the corporate network.

In recent years file transfer solutions have become the target of choice for threat actors, which also includes ransomware groups.

Lace Tempest, the threat actor which has previously been linked to the Cl0p ransomware, data theft and extortion attacks have been attributed to the exploitation of this zero day vulnerability.

In a post on the Cl0p gang’s leak site, they are demanding that victims reach out to them before the 14th of June 2023 to negotiate the extortion fees for deleting the stolen information.

Noted Attacker Behavior

Rapid7 can confirm that data exfiltration and system compromise go back to at least the 27th and 28th May 2023 and it has been observed that the same webshell has been seen in a number of customer environments, which seems to hint at automated exploitation.

The behavior that has been observed by the Rapid7 team indicates that these attacks are of the opportunistic nature rather than highly targeted. The artifacts that can be seen could potentially indicate the work of a single threat actor that is throwing this exploit around haphazardly at exposed targets. Click here to read how Mandiant has carried out an analysis to support this theory.

The webshell payload that is also associated with successful  exploitation was analyzed by Rapid7. The code found in the webshell would start by determining if an inbound request had a header named X-siLock-Comment and would return a 404 Not found error if the header was not populated with a particular type of password value.

As of the 1st of June 2023 all the instances observed by rapid 7 involve the presence of human2.aspx which can be found in the wwwroot folder of the MOVEit installation directory. The human.aspx file is the native file used by the software’s web interface.

Guidance on How to Mitigate this Zero Day

All the versions of MOVEit Transfer prior to 31st of May 2023 are vulnerable to CVE-2023-34362. Fixed versions are available and patches should be applied immediately. The patched versions are the following and are the latest patched versions that patch CVE-2023-34362 and CVE-2023-35036:

• MOVEit Transfer 2023.0.2
• MOVEit Transfer 2022.1.6
• MOVEit Transfer 2022.0.5
• MOVEit Transfer 2021.1.5
• MOVEit Transfer 2021.0.7

As of 16th June 2023, new versions of the software are being released to fix CVE-2023-35708. Keep an eye out to the Progress Software Advisory for the latest update.

On June 5th Progress Software published an update stressing that customers should download the patches directly from their knowledge base articles and not from any 3rd party sources.

If you have MOVEit Transfer version 2020.1.x (12.1) a special patch has been made available. Anything older than this version requires an upgrade to a supported version.

There is fully up to date details and documentation about the versions that are affected by this vulnerability as well as installers and DLL drop ins for fixed versions, which can be found here. Progress Software encourage their customers to make use of the advisories from May 31st, June 9th, and June 15th 2023 for accurate information along side an overview page that has been created.

The cloud version is also affected by this zero day, but has been globally patched. Those that take advantage of the Microsoft Azure integration should rotate their Azure storage keys.

It is recommended that firewall rules be implemented to block HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until a patch is released for CVE-2023-34362 and it can be applied.

If you also notice any unusual and unauthorized files or user accounts such as command line scripts or human2.aspx instances these are to be deleted.

As per the advisory mentioned earlier in this post, it is important that businesses see if there are any indicators of compromise going back for at least 1 month. The advisory also includes indicators of compromise (IOC) as well.

Data Exfiltration Method Identified

The incident response team at Rapid7 have identified what gets exfiltrated from a compromised MOVEit customer environment.

It creates its own EVTX file which can be found at C:\Windows\System32\winevt\Logs\MOVEit.evtx. These event logs have a single event ID (ID 0) which provides a wide ranger of information from file name, path, size, IP address, and the username of the person that carried out the download.

It was confirmed by Progress Software’s engineer team that by default logging is not enabled, but customers usually enable it after installation. This means that alot of instances would have these records available on the host machine.

It is important for an organizations Incident Response Team to use this information as it woudl help to identify what data as well as how much data was exfiltrated. This in turn would help to meet any regulatory compliance standards where ever applicable.

It is important that the log data is captured prior to wiping or restoring the application from an earlier backup. Crowdstrike, a security firm, has a blog post on how to query the SQL database directly for exfiltrated data.