MOVEit is a managed file transfer software produced by Progress(formerly Ipswitch). The MOVEit encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics and failover options. The software has been heavily used in the healthcare industry as well as thousands of IT departments in financial services and government sectors.
On 27 May 2023 the Progress Software disclosed a critical vulnerability, CVE-2023-34362, in the MOVEit application. This vulnerability, upon successful exploitation, could allow an unauthenticated attacker to gain access to the MOVEit Transfer’s database and allow them to infer information about the internals of the database and alter or delete their elements.
What is the issue?
MOVEit is typically used for file transfer operations by organizations and has a web application that supports different types of databases like MySQL, Microsoft SQL Server, and Azure SQL. The MOVEit vulnerability allows adversaries to implant a remote web shell on the victim’s machine.
As shown in the diagram above, an adversary performs the following steps to implant a malicious webshell.
App check – GET / – on port 443
Health check – POST /guestaccess.aspx – on port 443
Check token – POST /api/v1/token – on port 443
Check folder – GET /api/v1/folders – on port 443
Upload file – POST /api/v1/folders/[PATH]/files uploadType=resumable – on port 443
Post data – POST /machine2.aspx on port 80
Perform SQL injection – POST /moveitisapi/moveitisapi.dll – on port 443
Prepare session – POST /guestaccess.aspx – on port 443
Upload file – PUT /api/v1/folders/[PATH]/files uploadType=resumable&fileId=[FILEID] – on port 443
Post data – /machine2.aspx – on port 80
Access WebShell – GET /human2.aspx – on port 443
The name of the malicious file, human2.aspx, is intentionally used for webshell to masquerade the original, non malicious file, human.aspx, which typically comes with the installations of MOVEit applications. This ASPX file stages an SQL database account to be used for further access. Once the malicious webshell is installed, it creates a random 36 characters long password which later is used for the authentication purpose. The adversary communicates with the webshell over HTTP protocol with specially crafted HTTP request with a custom header in it, named “X-siLock-Comment”. The value of the custom header contains the password generated during the installation of the malicious webshell. The webshell would return a 404 not found response if the incoming HTTP request doesn’t contain the custom header. Once an adversary successfully authenticates, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an adversary may be able to build the understanding about the structure and contents of the database, and also execute SQL statements that can alter or delete database elements.
The moveitisapi.dll is used to perform SQL injection when requested with specific headers, and guestaccess.aspx is used to prepare a session and extract CSRF tokens and other field values to perform further actions. It connects to the database and offers data exfil functionality based on a provided X-siLock-Step1 header.
As of 7 June 2023, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet. In recent years, File transfer solutions have been a popular target for ransomware groups. As per an advisory published by the Cybersecurity And Infrastructure Security Agency, CISA, threat actors groups like the CL0P Ransomware Gang reportedly started exploiting the same vulnerability and leveraged it to implant a remote web shell on the victim’s machine. The Internet facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from the victim’s machine and underlying MOVEit Transfer databases.
Are Zscaler products affected?
Zscaler does not utilize Progress Software’s MOVEit product. The Zscaler platform is not susceptible to this vulnerability.
The details regarding the affected versions of MOVEit Transfer are present here. As per Progress Software, this vulnerability affects all versions of MOVEit Transfer. However, it doesn’t affect MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics and MOVEit Freely.
The Progress Software also released a security advisory mentioning the details related to the patch with the fix and recommended remediations and mitigation steps.
If one is using MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), then it is strongly recommended to upgrade them to the versions in which this vulnerability is patched, as per the details given here.
The IIS access logs can be checked for indicators of compromise on the host in question.
At the endpoint, presence of files named human2.aspx or _human2.aspx in MOVEitTransferwwwroot folder.
Based on known cases of exploitation so far, compromise would involve incoming requests to the following endpoints (in this order)
guestaccess.aspx, followed by
moveitisapi.dll, followed by
human2.aspx or _human2.aspx
In case header values are logged, requests/responses with the following HTTP header names are confirmed indicators of compromise :
Locate MOVEit root directory from
Locate MOVEit log file location
Best Practices/Guidelines To follow:
Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture.
Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access, especially with application security modules turned on.
Route all server traffic through Zscaler Private Access with additional application security module enabled and Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers.
Restrict traffic to the critical infrastructure from the allowed list of known-good destinations.
Ensure you are inspecting all SSL traffic.
Turn on Advanced Threat Protection to block all known command-and-control domains. This will provide additional protection in case the adversary exploits this vulnerability to implant malware.
Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Again, this will provide additional protection in case if the adversary exploits this vulnerability to implant malware.
Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload.
Zscaler’s ThreatLabZ team has deployed protection as mentioned below:
Advanced Threat Protection Signatures
1 post – 1 participant