Cyberis 19 June, 2023

MOVEit Transfer Critical Vulnerability CVE-2023-34362

Background

MOVEit is a popular file transfer application and on May 31 2023, Progress disclosed a critical vulnerability in it leading to a widespread exfiltration of sensitive data stored on the platform. The incident gained significant attention when Zellis, a major UK-based payroll provider serving numerous high-profile companies, publicly acknowledged the compromise of customer and staff personally identifiable information.

Two days after the announcement, the vulnerability was assigned CVE-2023-34362. However, it is suspected that threat actors had been exploiting the vulnerability for at least four days prior to the disclosure. While the exact number of affected victims remains undisclosed, the attack has been characterised as involving mass exploitation and broad data theft.

Attack Details

Initially identified as an isolated SQL injection (SQLi) attack, further investigation revealed that it only served as a foothold for achieving full remote code execution on the underlying server running MOVEit. The attack vector commences with threat actors conducting a SQLi attack by requesting moveitapi.dll with specific headers, then using guestaccess.aspx to prepare a session. Once a valid session is obtained, code execution is achieved by uploading a web shell named LEMURLOOT, written in C#, which masquerades as the legitimate "human.aspx" component used by MOVEit. The web shell is named "human2.aspx" to closely resemble the legitimate file. It should be noted that the use of the LEMURLOOT web shell is not mandatory; however, it provides threat actors with a method of persistence.

The web shell's initial step involves inspecting incoming HTTP requests for the presence of the "X-siLock-Comment" header and an associated password-like value for authentication. If the header is not present or the password-value is invalid, the web shell returns a 404 error. Upon successful authentication of an inbound HTTP request using a valid password, LEMURLOOT gains the ability to execute system commands based on specific request headers, thereby enabling the threat actors to create new users under the name of "Health Check Service", and extract data from the server, such as Azure Blob Storage settings. The script will execute these commands based on the value of the request headers: 'X-siLock-Step1', 'X-siLock-Step2', and 'X-siLock-Step3'.

Detection and Indicators of Attack

Analysis from security companies dealing with the incident has indicated that the "human2.aspx" webshell was located in the /wwwroot folder within the MOVEit install directory:

c:\MOVEit Transfer\wwwroot\human2.aspx

It is recommended to capture review log files created by the MOVEit service on Windows, which is located at:

C:\Windows\System32\winevt\Logs\MOVEit.evtx

Although logging is not enabled by default by the service, it is enabled as a common practice by MOVEit clients following installation. It is vital to ensure that logs are reviewed prior to restoring from backup or wiping the server completely.

The following IP addresses have been released as being associated with the attack:

  • 89.39.105[.]108 
  • 5.252.190[.]0/24
  • 5.252.189-195[.]x
  • 148.113.152[.]144 
  • 138.197.152[.]201
  • 209.97.137[.]33

Known HTTP requests made to the MOVEit Transfer severs associated with the attack are:

  • POST /moveitisapi/moveitisapi.dll 
  • POST /guestaccess.aspx
  • POST /api/v1/folders/[random]/files

Mitigation (MOVEit Transfer Only)

MOVEit developer Progress Software has released critical patches to prevent compromise of the platform. The full advice and patch notes can be found on Progress' website (https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023). If you host MOVEit Transfer, it is highly recommended these are applied. If you subscribe to MOVEit Cloud, no action is necessary.

Resources

 

Improve your security

Our experienced team will identify and address your most critical information security concerns.