June 15th, 2023 Update: Progress has released patches for the newly discovered vulnerability tracked as CVE-2023-35708.
June 9th, 2023 Update: Additional vulnerabilities have been discovered that could potentially be used by a bad actor to stage an exploit. All MOVEit Transfer customers must apply the new patch, released on June 9. 2023. Details on steps to take can be found in the following knowledge base article.
All MOVEIt Cloud customers, please see the MOVEit Cloud Knowledge Base Article for more information.
—
Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer software. MOVEit is developed by Ipswitch and is a managed file transfer software that encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics, and failover options.
Technical Details
Tracked as CVE-2023-34362, the vulnerability is a severe SQL injection flaw that enables unauthenticated remote attackers to gain access to the application database and execute arbitrary code. According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS.
The observed exploitation is a webshell disguised with filenames such as “human2.aspx” and “human2.aspx.lnk” in an attempt to masquerade as a legitimate component of the MOVEit Transfer service named human.aspx. On compromised systems, human2.aspx is located in the wwwroot folder of the MOVEit install folder. The webshell allows an attacker to obtain a list of all folders files, and users within MOVEit. In addition to this, it can download any file within MOVEit and insert an administrative backdoor user into MOVEit which would give attackers an active session to allow credential bypass.
The webshell’s access is protected by a password, so attempts to connect to the webshell without the proper password results in the malicious code showing a 404 Not Found error. Automated exploitation is heavily indicated since the same webshell name was observed in multiple customer environments. Initial compromise may lead to ransomware exploitation, as file transfer solutions have been popular targets for attackers including ransomware threat actors. Currently, there is no proof-of-concept (PoC) for CVE-2023-34362.
The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.
Attribution
Microsoft has attributed attacks to an affiliate of Clop ransomware under the name of “Lace Tempest” (aka TA505 and FIN11). In recent reports, the Clop Ransomware Gang confirmed that they are behind the MOVEit Transfer data-theft attacks. A Clop representative additionally confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday. This is a common tactic for the Clop ransomware operation, which has performed large-scale exploitation attacks during holidays when staff is at a minimum. Clop did not share how many organizations were breached in the MOVEit Transfer attacks, but stated that victims would be displayed on their data leak site if a ransom was not paid. If affected by the MOVEit Transfer data leaks, Clop is now taking a different approach by telling impacted organizations to contact them if they wish to negotiate a ransom.
SecurIT360 SOC Managed Services
If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:
MDR Services
- We utilize several threat feeds that are updated frequently on a daily basis.
- In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.
EDR Services
- In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.
Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.
Indicators are provided in the Indicators of Compromise section below for your reference.
As always, if we detect activity related to these exploits, we will alert you when applicable.
Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.
Affected Versions
The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
Non-susceptible Products in MOVEit Transfer
MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. Currently, no action is necessary for the above-mentioned products.
Recommendations & Mitigation
Progress has released immediate mitigation measures to help prevent the exploitation of this vulnerability.
- Update MOVEit Transfer to one of these patched versions:
- MOVEit Transfer 2023.0.1
- MOVEit Transfer 2022.1.5
- MOVEit Transfer 2022.0.4
- MOVEit Transfer 2021.1.4
- MOVEit Transfer 2021.0.6
- If updating with the above patch is not feasible for your organization, their suggested mitigation is to disable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note: this will essentially take your MOVEit Transfer application out of service.
- If the human2.aspx file or any suspicious .cmdline script is found, it should be deleted. Any newly created or unknown file in the MOVEit folder should be closely analyzed; in addition, .cmdline files in any temporary folder of Windows should be examined.
- Any unauthorized user account should be removed.
- View the full recommendations here:
MOVEit Best Practices Guide
MITRE Summary
Initial Access | | |
Technique Title | ID | Use |
Exploit Public-Facing Application | T1190 | CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; begins with a SQL injection to infiltrate the MOVEit Transfer web application. |
Phishing | T1566 | CL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access. |
Execution | | |
Technique Title | ID | Use |
Command and Scripting Interpreter: PowerShell | T1059.001 | CL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer. |
Command and Scripting Interpreter | T1059.003 | CL0P actors use TinyMet, a small open-source Meterpreter stager to establish a reverse shell to their C2 server. |
Shared Modules | T1129 | CL0P actors use Truebot to download additional modules. |
Persistence | | |
Technique Title | ID | Use |
Server Software Component: Web Shell | T1505.003 | DEWMODE is a web shell designed to interact with a MySQL database, and is used to exfiltrate data from the compromised network. |
Event Triggered Execution: Application Shimming | T1546.011 | CL0P actors use SDBot malware for application shimming for persistence and to avoid detection. |
Privilege Escalation | | |
Technique Title | ID | Use |
Exploitation for Privilege Escalation | T1068 | CL0P actors were gaining access to MOVEit Transfer databases prior to escalating privileges within compromised network. |
Defense Evasion | | |
Technique Title | ID | Use |
Process Injection | T1055 | CL0P actors use Truebot to load shell code. |
Indicator Removal | T1070 | CL0P actors delete traces of Truebot malware after it is used. |
Hijack Execution Flow: DLL Side-Loading | T1574.002 | CL0P actors use Truebot to side load DLLs. |
Discovery | | |
Technique Title | ID | Use |
Remote System Discovery | T1018 | CL0P actors use Cobalt Strike to expand network access after gaining access to the Active Directory (AD) servers. |
Lateral Movement | | |
Technique Title | ID | Use |
Remote Services: SMB/Windows Admin Shares | T1021.002 | CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity. |
Remote Service Session Hijacking: RDP Hijacking | T1563.002 | CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access. |
Collection | | |
Technique Title | ID | Use |
Screen Capture | T1113 | CL0P actors use Truebot to take screenshots in effort to collect sensitive data. |
Command and Control | | |
Technique Title | ID | Use |
Application Layer Protocol | T1071 | CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2). |
Ingress Tool Transfer | T1105 | CL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to the download of additional malware components. CL0P actors use SDBot to drop copies of itself in removable drives and network shares. |
Exfiltration | | |
Technique Title | ID | Use |
Exfiltration Over C2 Channel | T1041 | CL0P actors exfiltrate data for C2 channels. |
Indicators of Compromise
Resources & Related Articles