MOVEit Transfer Critical Vulnerability Discovered – Patch Now
A critical vulnerability has been found in Progress MOVEit Transfer, posing a significant risk of unauthorized access and elevated privileges through SQL injection. This vulnerability caught the attention of the Cybersecurity and Infrastructure Security Agency (CISA), prompting them to issue an advisory on June 1, 2023. Furthermore, CISA updated its Known Exploited Vulnerabilities catalog on June 2, including the newly identified vulnerability with the identifier CVE-2023-34362.
The impact of this vulnerability has been felt across various sectors, including government, finance, media, aviation, and healthcare. The severity of the situation is highlighted by reports of data theft and exfiltration from prominent organizations within these industries.
To date, a total of three vulnerabilities have been publicly disclosed, highlighting the urgent need for action:
• CVE-2023-35708 (June 15, 2023)
• CVE-2023-35036 (June 9, 2023)
• CVE-2023-34362 (May 31, 2023)
This article will give you valuable insights into these vulnerabilities and offer practical steps to safeguard your data ecosystem. By understanding the nature of these vulnerabilities and implementing effective security measures, you can ensure the protection of your valuable data. So, let's dive in and explore what you need to know to keep your data secure.
MOVEit Transfer is an advanced managed file transfer (MFT) software designed to facilitate the secure exchange of files between organizations and their clients. With its robust features and support for secure protocols such as SCP, HTTP, and SFTP, MOVEit Transfer ensures that your file transfers are conducted in a safe and protected environment.
How does this SQL Vulnerability Work?
MOVEit Transfer has recently been identified as having a vulnerability through SQL injection. This type of vulnerability occurs when an attacker exploits the system by manipulating SQL queries to gain unauthorized access to the database. In the case of MOVEit Transfer, this vulnerability allows an unauthenticated attacker to access sensitive data stored within the database and even make unauthorized changes.
The impact of this vulnerability is significant, as it affects versions of MOVEit Transfer prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and
2023.0.1 (15.0.1), as well as versions utilizing MySQL, Microsoft SQL Server, and Azure SQL as the database engines. The exploitation of this vulnerability has reportedly
resulted in deploying a web shell, acting as a backdoor for attackers, and subsequent data exfiltration.
Successful exploitation of this vulnerability grants the attacker escalated privileges, potentially allowing them to access the targeted host. Depending on the user's privileges, an attacker could install programs, manipulate or delete data, or even create new accounts with full user rights. It is worth noting that users with limited privileges on the system may be less impacted compared to those with administrative user rights.
To mitigate the risks associated with this vulnerability, it is crucial to promptly apply the necessary patches and updates provided by MOVEit Transfer. By doing so, you can enhance the security of your system and protect against potential unauthorized access and data breaches.
What is Recommended Remediation from Vendor?
The vendor has proposed different actions to take in order to remediate these vulnerabilities. The summary is given below:
To address the vulnerability discovered in MOVEit Transfer on June 15 (CVE-2023- 35708), all MOVEit Transfer customers need to take action and apply the necessary patch. The next steps depend on whether you have already applied the remediation and patching steps mentioned by MOVEit Transfer from May 2023.
Have NOT applied May 2023 patch
If you haven't applied the May 2023 patch, follow the remediation steps and patching instructions. This includes the latest patches, which address the June 9th vulnerability
(CVE-2023-35036) and the original vulnerability from May 31 (CVE-2023-34362). Once you have completed these steps, you can proceed to the Immediate Mitigation Steps.
Applied the May 2023 (CVE-2023-34362) patch and done with remediation steps
If you have already applied the May 2023 (CVE-2023-34362) patch and followed the remediation steps, you should proceed directly to the Immediate Mitigation Steps. You need to apply the June 15th patch (CVE Pending). This ensures that you are up to date with all the vulnerabilities announced on May 31 (CVE-2023-34362), June 9 (CVE- 2023-35036), and June 15 (CVE-2023-35708).
Have applied May 2023 (CVE-2023-34362) patch, done with remediation steps, and applied the June 9 (CVE-2023-35036) patch
Proceed to the Immediate Mitigation Steps and apply the June 15th patch (CVE-2023- 35708) as instructed. This will ensure that you are protected against all the mentioned vulnerabilities.
What are Immediate Mitigation Steps?
The Immediate Mitigation Steps are as follows:
1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment by modifying firewall rules to block ports 80 and 443.
2. An alternative: Administrators can access MOVEit Transfer through a remote desktop connection to the Windows machine and then access https://localhost/ as a workaround.
3. Apply the patch: Links to the patches for supported MOVEit Transfer versions will be provided as they become available. You can find the list of supported versions and the license file requirements at
https://community.progress.com/s/products/moveit/product-lifecycle.
4. Once the patch is applied, enable all HTTP and HTTP traffic to your MOVEit Transfer environment.
How Widespread is the Attack?
The impact of this attack extends to multiple organizations, although the exact number remains uncertain. However, available information suggests that several well-known institutions have fallen victim to this vulnerability.
The deployment of the web shell backdoor, which is believed to be a result of successfully exploiting vulnerabilities in MOVEit Transfer, has been identified through a public file scanning service. This service has detected the presence of the backdoor in countries such as the United States, the United Kingdom, Germany, Italy, and some Asian countries. As a result, potential victims are probably located within these regions.
Conclusion
In conclusion, reports indicate that ransomware threat actors have capitalized on this vulnerability to compromise numerous organizations, leading to data exfiltration and other malicious activities. With the vulnerability now in the public domain, additional threat actors are anticipated to exploit it, potentially accelerating the frequency of new exploitation attempts. Organizations need to address this vulnerability promptly and remain alert to mitigate potential risks.
Indicators of Compromise (IoC)
Folder Path:
C:\Windows\TEMP\[random]\[random].cmdline
Filename:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\[random]\[random]\App_Web_[random].dll
human2.aspx
human2.aspx.lnk
huamn2.aspx.[random].compiled
HTTP Request:
POST /moveitisapi/moveitisapi.dll POST /guestaccess.aspx
POST /api/v1/folders/[random]/files GET /human2.aspx
User Account:
Health Check Service
IPv4:
5.252.23.116
5.252.25.88
84.234.96.104
89.39.105.108
138.197.152.201
148.113.152.144
198.12.76.214
209.97.137.33
209.222.103.170
104.194.222.107
146.0.77.141
146.0.77.155
146.0.77.183
162.244.34.26
162.244.35.6
179.60.150.143
185.104.194.156
185.104.194.24
185.104.194.40
185.117.88.17
185.162.128.75
185.174.100.215
185.174.100.250
185.181.229.240
185.181.229.73
185.183.32.122
185.185.50.172
188.241.58.244
193.169.245.79
194.33.40.103
194.33.40.104
194.33.40.164
198.27.75.110
206.221.182.106
209.127.116.122
209.127.4.22
45.227.253.133
45.227.253.147
45.227.253.50
45.227.253.6
45.227.253.82
45.56.165.248
5.149.248.68
5.149.250.74
5.149.250.92
5.188.86.114
5.188.86.250
5.188.87.194
5.188.87.226
5.188.87.27
5.34.180.205
62.112.11.57
62.182.82.19
62.182.85.234
66.85.26.215
66.85.26.234
66.85.26.248
79.141.160.78
79.141.160.83
84.234.96.31
89.39.104.118
91.202.4.76
91.222.174.95
91.229.76.187
93.190.142.131
CIDR:
188.241.58.0/24
5.252.189.0/24
5.252.190.0/24
5.252.191.0/24
User Agent:
Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Ge cko)+Chrome/105.0.5195.102+Safari/537.36
Domain:
dojustit[.]mooo[.]com
SHA256 Hash:
0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c