Coverage Advisory for CVE-2023-34362 MOVEit Vulnerability – Source: securityboulevard.com

Background:

MOVEit is a managed file transfer software produced by Progress(formerly Ipswitch). The MOVEit encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics and failover options. The software has been heavily used in the healthcare industry as well as thousands of IT departments in financial services and government sectors.

On 31-May-2023, Progress Software disclosed a critical vulnerability CVE-2023-34362 in the MOVEit application. This vulnerability, upon successful exploitation, could allow an unauthenticated attacker to gain access to the MOVEit Transfer’s database and allow them to infer information about the internals of the database and alter or delete their elements.

What is the issue?

MOVEit is typically used for file transfer operations by organizations and has a web application that supports different types of databases like MySQL, Microsoft SQL Server, and Azure SQL. The MOVEit vulnerability allows adversaries to implant a remote web shell on the victim’s machine.

As shown in the diagram above, an adversary performs the following steps to implant a malicious webshell.

App check – GET / – on port 443


Health check – POST /guestaccess.aspx – on port 443


Check token – POST /api/v1/token – on port 443


Check folder – GET /api/v1/folders – on port 443


Upload file – POST /api/v1/folders/[PATH]/files uploadType=resumable – on port 443


Post data – POST /machine2.aspx on port 80


Perform SQL injection – POST /moveitisapi/moveitisapi.dll – on port 443


Prepare session – POST /guestaccess.aspx – on port 443


Upload file – PUT /api/v1/folders/[PATH]/files uploadType=resumable&fileId=[FILEID] – on port 443


Post data – /machine2.aspx – on port 80


Access WebShell – GET /human2.aspx – on port 443

The name of the malicious file, human2.aspx, is intentionally used for webshell to masquerade the original, non malicious file, human.aspx, which typically comes with the installations of MOVEit applications. This ASPX file stages an SQL database account to be used for further access. Once the malicious webshell is installed, it creates a random 36 characters long password which later is used for the authentication purpose. The adversary communicates with the webshell over HTTP protocol with specially crafted HTTP request with a custom header in it, named “X-siLock-Comment”. The value of the custom header contains the password generated during the installation of the malicious webshell. The webshell would return a 404 not found response if the incoming HTTP request doesn’t contain the custom header. Once an adversary successfully authenticates, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an adversary may be able to build the understanding about the structure and contents of the database, and also execute SQL statements that can alter or delete database elements.

The moveitisapi.dll is used to perform SQL injection when requested with specific headers, and guestaccess.aspx is used to prepare a session and extract CSRF tokens and other field values to perform further actions. It connects to the database and offers data exfil functionality based on a provided X-siLock-Step1 header.

As of 7 June 2023, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet. In recent years, File transfer solutions have been a popular target for ransomware groups. As per an advisory published by the Cybersecurity And Infrastructure Security Agency, CISA, threat actors groups like the CL0P Ransomware Gang reportedly started exploiting the same vulnerability and leveraged it to implant a remote web shell on the victim’s machine. The Internet facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from the victim’s machine and underlying MOVEit Transfer databases.

Are Zscaler products affected?

Zscaler does not utilize Progress Software’s MOVEit product. The Zscaler platform is not susceptible to this vulnerability. The trust post is published here.

Affected products:

The details regarding the affected versions of MOVEit Transfer are present here. As per Progress Software, this vulnerability affects all versions of MOVEit Transfer. However, it doesn’t affect MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics and MOVEit Freely.

Mitigations:

The Progress Software also released a security advisory mentioning the details related to the patch with the fix and recommended remediations and mitigation steps.

If one is using MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), then it is strongly recommended to upgrade them to the versions in which this vulnerability is patched, as per the details given here.

Investigation Tips:

The IIS access logs can be checked for indicators of compromise on the host in question.

At the endpoint, presence of files named human2.aspx or _human2.aspx in MOVEitTransferwwwroot folder.

Based on known cases of exploitation so far, compromise would involve incoming requests to the following endpoints (in this order)

guestaccess.aspx, followed by

moveitisapi.dll, followed by

human2.aspx or _human2.aspx

In case header values are logged, requests/responses with the following HTTP header names are confirmed indicators of compromise :

X-siLock-Comment

X-siLock-Step1

X-siLock-Step2

X-siLock-Step3

Locate MOVEit root directory from

HKEY_LOCAL_MACHINESOFTWAREStandard NetworkssiLock->WebBaseDir

Locate MOVEit log file location

HKEY_LOCAL_MACHINESOFTWAREStandard NetworkssiLock->LogsBaseDir

Best Practices/Guidelines To follow:

Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture.


Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access, especially with application security modules turned on.


Route all server traffic through Zscaler Private Access with additional application security module enabled and Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers.


Restrict traffic to the critical infrastructure from the allowed list of known-good destinations.


Ensure you are inspecting all SSL traffic.


Turn on Advanced Threat Protection to block all known command-and-control domains. This will provide additional protection in case the adversary exploits this vulnerability to implant malware.


Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Again, this will provide additional protection in case if the adversary exploits this vulnerability to implant malware.


Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.

Zscaler Coverage:

Zscaler’s ThreatLabZ team has deployed protection as mentioned below:

Advanced Threat Protection Signatures

WIN32.EXPLOIT.CVE-2023-34362


APP.EXPLOIT.CVE-2023-34362


HTML.EXPLOIT.CVE-2023-34362

Details related to the threat signatures released by Zscaler can be found in the Zscaler Threat Library.

Additional References:

https://www.cisa.gov/news-events/alerts/2023/06/07/cisa-and-fbi-release-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability


https://nvd.nist.gov/vuln/detail/CVE-2023-34362


https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/

https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

*** This is a Security Bloggers Network syndicated blog from Blog Category Feed authored by Jithin Nair. Read the original post at: https://www.zscaler.com/blogs/security-research/coverage-advisory-cve-2023-34362-moveit-vulnerability