SpiderLabs Blog

Trustwave Action Response: Zero Day Exploitation of MOVEit (CVE-2023-34362) | Trustwave

Written by Karl Sigler | Jun 2, 2023 5:00:00 AM

Update - June 16, 2023: The second vulnerability mentioned in the June 12 update now has an assigned CVE number: CVE-2023-35036. On June 15, a third SQL injection vulnerability was released. This new vulnerability also has been assigned a CVE number: CVE-2023-35708.

These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.

Update - June 12, 2023: According to MOVEit, there are additional vulnerabilities (CVEs pending MITRE) that a bad actor could potentially use to stage an exploit. These vulnerabilities are SQL injection issues and exploitation could result in modification, deletion and/or disclosure of MOVEit database content. These newly discovered vulnerabilities are distinct from the previously reported vulnerability that MOVEit shared on May 31, 2023.    

It's important to note that unlike the previous zero day, these vulnerabilities were discovered as a part of an internal code audit. Currently, there is no known exploitation of these vulnerabilities. At this time, MOVEit is recommending that all MOVEit Transfer customers apply the new patch, released on June 9, 2023. Please refer to MOVEit’s full advisory here for next steps.

On May 31, threat actors were discovered targeting a critical zero day in MOVEit Transfer software resulting in escalated privileges and unauthorized data access. The vulnerability being exploited is an SQL injection and has since been patched. Resources links, including one for the patch, are at the bottom of this post.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch (a subsidiary of Progress Software). Those of you that have been around IT for a stretch might remember Ipswitch's popular FTP software (WS_FTP). It is used by organizations to securely transfer files for business partners and customers.

All MOVEit Transfer versions are affected by this vulnerability. As of June 2nd, Shodan searches for public facing MOVEit instances show over 500 systems that directly have MOVEit in the service headers and over 2,500 systems using the the MOVEit favicon (which suggests the system is using MOVEit even if the service headers provide don't show that. Although it equally suggests any of the other services that Progress Software offers). See Figures 1 and 2.

Trustwave is diligently monitoring the situation for client exposure and associated attacks and will provide updates here as we have them.

 

 

Figure 1: Shodan results based on service headers

Figure 2: Shodan results based on favicon hash

 

Technical Details

After exploitation, the threat actor drops the file "human2.aspx" on the system. This webshell supports several parameters, triggering specific actions depending on the parameter used.

These parameters are:

Parameter

Values

Description

X-siLock-Comment

static password

Without this parameter being set top the proper password, the system will return a HTTP 404 error code

X-siLock-Step1

-2, -1, NULL

Primary parameter used for access

X-siLock-Step2

Folder ID

Specifies a directory

X-siLock-Step3

File ID

Specifies a filename

Assuming the X-siLock-Comment is set with the proper password string, the X-siLock-Step1 will define what actions are taken on the exploited system as follows:

X-siLock-Step1 value

Action

NULL

The file defined by X-siLock-Step2 and X-siLock-Step3 will be downloaded.

If those parameters are not provided, “human2.aspx” will create a new database admin user named “Health Check Service”

-1

This returns critical Azure Blob information including Storage Account, Key, and Container IDs. It will also return a list of all files and folders stored in MOVEit, the file owners and file sizes, as well as all institution names mentioned in the MOVEit instance. This would allow the attacker to target specific files associated with specific users or organizations.

-2

This deletes the new database admin user named “Health Check Service” admin user, presumedly to clean up and cover their tracks after a compromise

 

Mitigations and Remediations

All versions of MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1) are affected. Progress Software has released an official patch which is available here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

However, prior to applying the patch, Progress recommends admins take the following actions.

  1. Disable all HTTP and HTTPS traffic to your MOVEit Transfer Environment by setting up your firewall to deny that access to your environment. (Note: it's fine to leave SFTP and FTP ports open as exploitation appears to occur only over HTTP/HTTPS)
  2. Review your MOVEit Environment for signs of compromise, including:

Audit and delete any unauthorized files and user accounts.

On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.

On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline

Remove any unauthorized user accounts.

Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.

Reset service account credentials for affected systems and MOVEit Service Account

Note: A full table of IoCs is available below

  1. After these steps, you can apply the patch.

After the update has been applied, you can re-enable all HTTP and HTTPS traffic to your MOVEit Transfer environment. You'll also want to verify that the compromise has been fully addressed by going back through the actions in Step 2 above.

Additional Detection Options

  • Search for a user named ‘Health Check Service’ within the MOVEit user database
  • Examine active sessions within the MOVEit database for the user ‘Health Check Service’
  • Search you web access logs for requests that contain any request or response headers listed above

Additional Security Best Practices

  • Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known, trusted IP addresses
  • Review and remove any unauthorized accounts
  • Update remote access policies to only allow inbound connections from known and trusted IP addresses
  • Allow inbound access from trusted entities
  • Enable multi-factor authentication

Indicators of Compromise

Indicator 

Type 

C:\Windows\TEMP\[random]\[random].cmdline 

Folder Path 

human2.aspx 

Filename 

human2.aspx.lnk 

Filename 

POST /moveitisapi/moveitisapi.dll 

HTTP Request 

POST /guestaccess.aspx 

HTTP Request 

POST /api/v1/folders/[random]/files 

HTTP Request 

Health Check Service 

User Account 

5.252.189.0/24 

CIDR 

5.252.190.0/24 

CIDR 

5.252.191.0/24 

CIDR 

198.27.75.110 

IPv4 

209.222.103.170 

IPv4 

84.234.96.104 

IPv4 

138.197.152.201 

IPv4 

209.97.137.33 

IPv4 

148.113.152.144 

IPv4 

89.39.105.108 

IPv4 

5.252.23.116 

IPv4 

5.252.25.88 

IPv4 

198.12.76.214 

IPv4 

Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.102+Safari/537.36 

User Agent 

dojustit[.]mooo[.]com 

Domain 

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[random]\[random\App_Web_[random].dll 

Filename 

0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 

SHA256 Hash 

110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 

SHA256 Hash 

1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 

SHA256 Hash 

2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 

SHA256 Hash 

58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 

SHA256 Hash 

98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 

SHA256 Hash 

a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 

SHA256 Hash 

b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 

SHA256 Hash 

cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 

SHA256 Hash 

ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c 

SHA256 Hash 

0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 

SHA256 Hash 

110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 

SHA256 Hash 

1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 

SHA256 Hash 

2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 

SHA256 Hash 

58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 

SHA256 Hash 

98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 

SHA256 Hash 

a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 

SHA256 Hash 

b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 

SHA256 Hash 

cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 

SHA256 Hash 

ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c 

SHA256 Hash 

Additional Resources

Progress link: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

NIST CVE-2023-34362: https://nvd.nist.gov/vuln/detail/CVE-2023-34362