MOVEit

CVE-2023-34362: MOVEit Transfer Zero-Day Vulnerability Actively Being Exploited

June 15th, 2023 Update: Progress has released patches for the newly discovered vulnerability tracked as CVE-2023-35708.

June 9th, 2023 Update: Additional vulnerabilities have been discovered that could potentially be used by a bad actor to stage an exploit. All MOVEit Transfer customers must apply the new patch, released on June 9. 2023. Details on steps to take can be found in the following knowledge base article.

All MOVEIt Cloud customers, please see the MOVEit Cloud Knowledge Base Article for more information.

Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer software. MOVEit is developed by Ipswitch and is a managed file transfer software that encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics, and failover options. 

Technical Details 

Tracked as CVE-2023-34362, the vulnerability is a severe SQL injection flaw that enables unauthenticated remote attackers to gain access to the application database and execute arbitrary code. According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS.  

The observed exploitation is a webshell disguised with filenames such as “human2.aspx” and “human2.aspx.lnk” in an attempt to masquerade as a legitimate component of the MOVEit Transfer service named human.aspx. On compromised systems, human2.aspx is located in the wwwroot folder of the MOVEit install folder. The webshell allows an attacker to obtain a list of all folders files, and users within MOVEit. In addition to this, it can download any file within MOVEit and insert an administrative backdoor user into MOVEit which would give attackers an active session to allow credential bypass. 

The webshell’s access is protected by a password, so attempts to connect to the webshell without the proper password results in the malicious code showing a 404 Not Found error. Automated exploitation is heavily indicated since the same webshell name was observed in multiple customer environments. Initial compromise may lead to ransomware exploitation, as file transfer solutions have been popular targets for attackers including ransomware threat actors. Currently, there is no proof-of-concept (PoC) for CVE-2023-34362. 

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. 

Attribution 

Microsoft has attributed attacks to an affiliate of Clop ransomware under the name of “Lace Tempest” (aka TA505 and FIN11). In recent reports, the Clop Ransomware Gang confirmed that they are behind the MOVEit Transfer data-theft attacks. A Clop representative additionally confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday. This is a common tactic for the Clop ransomware operation, which has performed large-scale exploitation attacks during holidays when staff is at a minimum. Clop did not share how many organizations were breached in the MOVEit Transfer attacks, but stated that victims would be displayed on their data leak site if a ransom was not paid. If affected by the MOVEit Transfer data leaks, Clop is now taking a different approach by telling impacted organizations to contact them if they wish to negotiate a ransom. 

SecurIT360 SOC Managed Services    

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:   

MDR Services   

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.  

EDR Services   

  • In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.   

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything. 

Indicators are provided in the Indicators of Compromise section below for your reference.  

As always, if we detect activity related to these exploits, we will alert you when applicable.   

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.    

Affected Versions 

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). 

Non-susceptible Products in MOVEit Transfer 

MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. Currently, no action is necessary for the above-mentioned products. 

Recommendations & Mitigation 

Progress has released immediate mitigation measures to help prevent the exploitation of this vulnerability. 

  • Update MOVEit Transfer to one of these patched versions:
    • MOVEit Transfer 2023.0.1
    • MOVEit Transfer 2022.1.5
    • MOVEit Transfer 2022.0.4
    • MOVEit Transfer 2021.1.4
    • MOVEit Transfer 2021.0.6
  • If updating with the above patch is not feasible for your organization, their suggested mitigation is to disable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note: this will essentially take your MOVEit Transfer application out of service.
  • If the human2.aspx file or any suspicious .cmdline script is found, it should be deleted. Any newly created or unknown file in the MOVEit folder should be closely analyzed; in addition, .cmdline files in any temporary folder of Windows should be examined.
  • Any unauthorized user account should be removed.
  • View the full recommendations here:

MOVEit Best Practices Guide 

MITRE Summary

Initial Access

  

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; begins with a SQL injection to infiltrate the MOVEit Transfer web application.

Phishing

T1566

CL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access.

Execution

  

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

CL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer.

Command and Scripting Interpreter

T1059.003

CL0P actors use TinyMet, a small open-source Meterpreter stager to establish a reverse shell to their C2 server.

Shared Modules

T1129

CL0P actors use Truebot to download additional modules.

Persistence

  

Technique Title

ID

Use

Server Software Component: Web Shell

T1505.003

DEWMODE is a web shell designed to interact with a MySQL database, and is used to exfiltrate data from the compromised network.

Event Triggered Execution: Application Shimming

T1546.011

CL0P actors use SDBot malware for application shimming for persistence and to avoid detection.

Privilege Escalation

  

Technique Title

ID

Use

Exploitation for Privilege Escalation

T1068

CL0P actors were gaining access to MOVEit Transfer databases prior to escalating privileges within compromised network.

Defense Evasion

  

Technique Title

ID

Use

Process Injection

T1055

CL0P actors use Truebot to load shell code.

Indicator Removal

T1070

CL0P actors delete traces of Truebot malware after it is used.

Hijack Execution Flow: DLL Side-Loading

T1574.002

CL0P actors use Truebot to side load DLLs.

Discovery

  

Technique Title

ID

Use

Remote System Discovery

T1018

CL0P actors use Cobalt Strike to expand network access after gaining access to the Active Directory (AD) servers.

Lateral Movement

  

Technique Title

ID

Use

Remote Services: SMB/Windows Admin Shares

T1021.002

CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity.

Remote Service Session Hijacking: RDP Hijacking

T1563.002

CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access.

Collection

  

Technique Title

ID

Use

Screen Capture

T1113

CL0P actors use Truebot to take screenshots in effort to collect sensitive data.

Command and Control

  

Technique Title

ID

Use

Application Layer Protocol

T1071

CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2).

Ingress Tool Transfer

T1105

CL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to the download of additional malware components.

CL0P actors use SDBot to drop copies of itself in removable drives and network shares.

Exfiltration

  

Technique Title

ID

Use

Exfiltration Over C2 Channel

T1041

CL0P actors exfiltrate data for C2 channels.

Indicators of Compromise

Resources & Related Articles 

Proactively Guard Your Business From Cybersecurity and IT Threats. Request a Free Consultation Today.