Trustwave Action Response: Zero Day Exploitation of MOVEit (CVE-2023-34362)
Update - June 16, 2023: The second vulnerability mentioned in the June 12 update now has an assigned CVE number: CVE-2023-35036. On June 15, a third SQL injection vulnerability was released. This new vulnerability also has been assigned a CVE number: CVE-2023-35708.
These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.
Update - June 12, 2023: According to MOVEit, there are additional vulnerabilities (CVEs pending MITRE) that a bad actor could potentially use to stage an exploit. These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.
It's important to note that unlike the previous zero day, these vulnerabilities were discovered as a part of an internal code audit. Currently, there is no known exploitation of these vulnerabilities. At this time, MOVEit is recommending that all MOVEit Transfer customers apply the new patch, released on June 9, 2023. Please refer to MOVEit’s full advisory here for next steps.
On May 31, threat actors were discovered targeting a critical zero day in MOVEit Transfer software resulting in escalated privileges and unauthorized data access. The vulnerability being exploited is an SQL injection and has since been patched. Resources links, including one for the patch, are at the bottom of this post.
MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch (a subsidiary of Progress Software). Those of you that have been around IT for a stretch might remember Ipswitch's popular FTP software (WS_FTP). It is used by organizations to securely transfer files for business partners and customers.
All MOVEit Transfer versions are affected by this vulnerability. As of June 2nd, Shodan searches for public facing MOVEit instances show over 500 systems that directly have MOVEit in the service headers and over 2,500 systems using the the MOVEit favicon (which suggests the system is using MOVEit even if the service headers provide don't show that. Although it equally suggests any of the other services that Progress Software offers). See Figures 1 and 2.
Trustwave is diligently monitoring the situation for client exposure and associated attacks and will provide updates here as we have them.
|
|
Figure 1: Shodan results based on service headers |
Figure 2: Shodan results based on favicon hash |
Technical Details
After exploitation, the threat actor drops the file "human2.aspx" on the system. This webshell supports several parameters, triggering specific actions depending on the parameter used.
These parameters are:
Parameter |
Values |
Description |
X-siLock-Comment |
static password |
Without this parameter being set top the proper password, the system will return a HTTP 404 error code |
X-siLock-Step1 |
-2, -1, NULL |
Primary parameter used for access |
X-siLock-Step2 |
Folder ID |
Specifies a directory |
X-siLock-Step3 |
File ID |
Specifies a filename |
Assuming the X-siLock-Comment is set with the proper password string, the X-siLock-Step1 will define what actions are taken on the exploited system as follows:
X-siLock-Step1 value |
Action |
NULL |
The file defined by X-siLock-Step2 and X-siLock-Step3 will be downloaded. |
-1 |
This returns critical Azure Blob information including Storage Account, Key, and Container IDs. It will also return a list of all files and folders stored in MOVEit, the file owners and file sizes, as well as all institution names mentioned in the MOVEit instance. This would allow the attacker to target specific files associated with specific users or organizations. |
-2 |
This deletes the new database admin user named “Health Check Service” admin user, presumedly to clean up and cover their tracks after a compromise |
Mitigations and Remediations
All versions of MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1) are affected. Progress Software has released an official patch which is available here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
However, prior to applying the patch, Progress recommends admins take the following actions.
- Disable all HTTP and HTTPS traffic to your MOVEit Transfer Environment by setting up your firewall to deny that access to your environment. (Note: it's fine to leave SFTP and FTP ports open as exploitation appears to occur only over HTTP/HTTPS)
- Review your MOVEit Environment for signs of compromise, including:
Audit and delete any unauthorized files and user accounts.
On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
Remove any unauthorized user accounts.
Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.
Reset service account credentials for affected systems and MOVEit Service Account
Note: A full table of IoCs is available below
- After these steps, you can apply the patch.
After the update has been applied, you can re-enable all HTTP and HTTPS traffic to your MOVEit Transfer environment. You'll also want to verify that the compromise has been fully addressed by going back through the actions in Step 2 above.
Additional Detection Options
- Search for a user named ‘Health Check Service’ within the MOVEit user database
- Examine active sessions within the MOVEit database for the user ‘Health Check Service’
- Search you web access logs for requests that contain any request or response headers listed above
Additional Security Best Practices
- Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known, trusted IP addresses
- Review and remove any unauthorized accounts
- Update remote access policies to only allow inbound connections from known and trusted IP addresses
- Allow inbound access from trusted entities
- Enable multi-factor authentication
Indicators of Compromise
Indicator |
Type |
C:\Windows\TEMP\[random]\[random].cmdline |
Folder Path |
human2.aspx |
Filename |
human2.aspx.lnk |
Filename |
POST /moveitisapi/moveitisapi.dll |
HTTP Request |
POST /guestaccess.aspx |
HTTP Request |
POST /api/v1/folders/[random]/files |
HTTP Request |
Health Check Service |
User Account |
5.252.189.0/24 |
CIDR |
5.252.190.0/24 |
CIDR |
5.252.191.0/24 |
CIDR |
198.27.75.110 |
IPv4 |
209.222.103.170 |
IPv4 |
84.234.96.104 |
IPv4 |
138.197.152.201 |
IPv4 |
209.97.137.33 |
IPv4 |
148.113.152.144 |
IPv4 |
89.39.105.108 |
IPv4 |
5.252.23.116 |
IPv4 |
5.252.25.88 |
IPv4 |
198.12.76.214 |
IPv4 |
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36 |
User Agent |
dojustit[.]mooo[.]com |
Domain |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[random]\[random\App_Web_[random].dll |
Filename |
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 |
SHA256 Hash |
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 |
SHA256 Hash |
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 |
SHA256 Hash |
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 |
SHA256 Hash |
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 |
SHA256 Hash |
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 |
SHA256 Hash |
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 |
SHA256 Hash |
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 |
SHA256 Hash |
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 |
SHA256 Hash |
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c |
SHA256 Hash |
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 |
SHA256 Hash |
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 |
SHA256 Hash |
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 |
SHA256 Hash |
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 |
SHA256 Hash |
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 |
SHA256 Hash |
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 |
SHA256 Hash |
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 |
SHA256 Hash |
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 |
SHA256 Hash |
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 |
SHA256 Hash |
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c |
SHA256 Hash |
Additional Resources
Progress link: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
NIST CVE-2023-34362: https://nvd.nist.gov/vuln/detail/CVE-2023-34362
About the Author
Karl Sigler is Security Research Manager, SpiderLabs Threat Intelligence at Trustwave. Karl is a 20- year infosec veteran responsible for research and analysis of current vulnerabilities, malware and threat trends at Trustwave. Follow Karl on LinkedIn.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.