Trustwave Action Response: Zero Day Exploitation of MOVEit (CVE-2023-34362)

Update - June 16, 2023: The second vulnerability mentioned in the June 12 update now has an assigned CVE number: CVE-2023-35036. On June 15, a third SQL injection vulnerability was released. This new vulnerability also has been assigned a CVE number: CVE-2023-35708.

These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.

Update - June 12, 2023: According to MOVEit, there are additional vulnerabilities (CVEs pending MITRE) that a bad actor could potentially use to stage an exploit. These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.    

It's important to note that unlike the previous zero day, these vulnerabilities were discovered as a part of an internal code audit. Currently, there is no known exploitation of these vulnerabilities. At this time, MOVEit is recommending that all MOVEit Transfer customers apply the new patch, released on June 9, 2023. Please refer to MOVEit’s full advisory here for next steps.

On May 31, threat actors were discovered targeting a critical zero day in MOVEit Transfer software resulting in escalated privileges and unauthorized data access. The vulnerability being exploited is an SQL injection and has since been patched. Resources links, including one for the patch, are at the bottom of this post.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch (a subsidiary of Progress Software). Those of you that have been around IT for a stretch might remember Ipswitch's popular FTP software (WS_FTP). It is used by organizations to securely transfer files for business partners and customers.

All MOVEit Transfer versions are affected by this vulnerability. As of June 2^nd, Shodan searches for public facing MOVEit instances show over 500 systems that directly have MOVEit in the service headers and over 2,500 systems using the the MOVEit favicon (which suggests the system is using MOVEit even if the service headers provide don't show that. Although it equally suggests any of the other services that Progress Software offers). See Figures 1 and 2.

Trustwave is diligently monitoring the situation for client exposure and associated attacks and will provide updates here as we have them.

Figure 1: Shodan results based on service headers	Figure 2: Shodan results based on favicon hash

Technical Details

After exploitation, the threat actor drops the file "human2.aspx" on the system. This webshell supports several parameters, triggering specific actions depending on the parameter used.

These parameters are:

Assuming the X-siLock-Comment is set with the proper password string, the X-siLock-Step1 will define what actions are taken on the exploited system as follows:

Mitigations and Remediations

All versions of MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1) are affected. Progress Software has released an official patch which is available here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

However, prior to applying the patch, Progress recommends admins take the following actions.

1. Disable all HTTP and HTTPS traffic to your MOVEit Transfer Environment by setting up your firewall to deny that access to your environment. (Note: it's fine to leave SFTP and FTP ports open as exploitation appears to occur only over HTTP/HTTPS)
2. Review your MOVEit Environment for signs of compromise, including:

Audit and delete any unauthorized files and user accounts.

On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.

On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline

Remove any unauthorized user accounts.

Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.

Reset service account credentials for affected systems and MOVEit Service Account

Note: A full table of IoCs is available below

3. After these steps, you can apply the patch.

After the update has been applied, you can re-enable all HTTP and HTTPS traffic to your MOVEit Transfer environment. You'll also want to verify that the compromise has been fully addressed by going back through the actions in Step 2 above.

Additional Detection Options

• Search for a user named ‘Health Check Service’ within the MOVEit user database
• Examine active sessions within the MOVEit database for the user ‘Health Check Service’
• Search you web access logs for requests that contain any request or response headers listed above

Additional Security Best Practices

• Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known, trusted IP addresses
• Review and remove any unauthorized accounts
• Update remote access policies to only allow inbound connections from known and trusted IP addresses
• Allow inbound access from trusted entities
• Enable multi-factor authentication

Indicators of Compromise