Trustwave Action Response: Zero Day Exploitation of MOVEit (CVE-2023-34362)
June 02, 2023
4 minutes read
Karl Sigler
Update - June 16, 2023: The second vulnerability mentioned in the June 12 update now has an assigned CVE number: CVE-2023-35036. On June 15, a third SQL injection vulnerability was released. This new vulnerability also has been assigned a CVE number: CVE-2023-35708.
These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.
Update - June 12, 2023: According to MOVEit, there are additional vulnerabilities (CVEs pending MITRE) that a bad actor could potentially use to stage an exploit. These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.
It's important to note that unlike the previous zero day, these vulnerabilities were discovered as a part of an internal code audit. Currently, there is no known exploitation of these vulnerabilities. At this time, MOVEit is recommending that all MOVEit Transfer customers apply the new patch, released on June 9, 2023. Please refer to MOVEit’s full advisory here for next steps.
On May 31, threat actors were discovered targeting a critical zero day in MOVEit Transfer software resulting in escalated privileges and unauthorized data access. The vulnerability being exploited is an SQL injection and has since been patched. Resources links, including one for the patch, are at the bottom of this post.
MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch (a subsidiary of Progress Software). Those of you that have been around IT for a stretch might remember Ipswitch's popular FTP software (WS_FTP). It is used by organizations to securely transfer files for business partners and customers.
All MOVEit Transfer versions are affected by this vulnerability. As of June 2nd, Shodan searches for public facing MOVEit instances show over 500 systems that directly have MOVEit in the service headers and over 2,500 systems using the the MOVEit favicon (which suggests the system is using MOVEit even if the service headers provide don't show that. Although it equally suggests any of the other services that Progress Software offers). See Figures 1 and 2.
Trustwave is diligently monitoring the situation for client exposure and associated attacks and will provide updates here as we have them.
Figure 1: Shodan results based on service headers
Figure 2: Shodan results based on favicon hash
Technical Details
After exploitation, the threat actor drops the file "human2.aspx" on the system. This webshell supports several parameters, triggering specific actions depending on the parameter used.
These parameters are:
Parameter
Values
Description
X-siLock-Comment
static password
Without this parameter being set top the proper password, the system will return a HTTP 404 error code
X-siLock-Step1
-2, -1, NULL
Primary parameter used for access
X-siLock-Step2
Folder ID
Specifies a directory
X-siLock-Step3
File ID
Specifies a filename
Assuming the X-siLock-Comment is set with the proper password string, the X-siLock-Step1 will define what actions are taken on the exploited system as follows:
X-siLock-Step1 value
Action
NULL
The file defined by X-siLock-Step2 and X-siLock-Step3 will be downloaded.
If those parameters are not provided, “human2.aspx” will create a new database admin user named “Health Check Service”
-1
This returns critical Azure Blob information including Storage Account, Key, and Container IDs. It will also return a list of all files and folders stored in MOVEit, the file owners and file sizes, as well as all institution names mentioned in the MOVEit instance. This would allow the attacker to target specific files associated with specific users or organizations.
-2
This deletes the new database admin user named “Health Check Service” admin user, presumedly to clean up and cover their tracks after a compromise
However, prior to applying the patch, Progress recommends admins take the following actions.
Disable all HTTP and HTTPS traffic to your MOVEit Transfer Environment by setting up your firewall to deny that access to your environment. (Note: it's fine to leave SFTP and FTP ports open as exploitation appears to occur only over HTTP/HTTPS)
Review your MOVEit Environment for signs of compromise, including:
Audit and delete any unauthorized files and user accounts.
On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
Remove any unauthorized user accounts.
Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.
Reset service account credentials for affected systems and MOVEit Service Account
Note: A full table of IoCs is available below
After these steps, you can apply the patch.
After the update has been applied, you can re-enable all HTTP and HTTPS traffic to your MOVEit Transfer environment. You'll also want to verify that the compromise has been fully addressed by going back through the actions in Step 2 above.
Additional Detection Options
Search for a user named ‘Health Check Service’ within the MOVEit user database
Examine active sessions within the MOVEit database for the user ‘Health Check Service’
Search you web access logs for requests that contain any request or response headers listed above
Additional Security Best Practices
Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known, trusted IP addresses
Review and remove any unauthorized accounts
Update remote access policies to only allow inbound connections from known and trusted IP addresses
Know your enemy – inside and out. External Attack Surface Management tools are an effective way to understand externally facing threats and help plan cyber defenses accordingly. Let’s discuss what...
Let’s explore how SpiderLabs created and incorporated user prompts, specifically Windows dialog boxes into its malware loader to make it more convincing to phishing targets during a Red Team...