On May 31, 2023, Progress informed about a critical vulnerability (CVE-2023-34362) in its MOVEit Transfer software, which could potentially lead to privilege escalation and unauthorized access on affected systems through SQL injection (SQLi) in the MOVEit Transfer web application.
MOVEit Transfer is a software developed by Progress Software that provides secure collaboration and automated file transfers for sensitive data. It is widely used by numerous organizations globally.
Depending on the database engine used, such as MySQL, Microsoft SQL Server, or Azure SQL, an attacker may be able to gain access to the database’s structure and contents, and even execute SQL statements to modify or delete data. It is important to note that these attacks can occur over protocols like HTTP or HTTPS.
Exploitation of this vulnerability has been detected since the end of May 2023. The attackers are using a backdoor known as “human2.aspx”. Several researchers, including TrustedSec, have analyzed this backdoor and determined the following functionalities:
- Retrieve a comprehensive list of folders, files, and users within MOVEit.
- Download any file stored in MOVEit.
- Create a backdoor administrator user in MOVEit named “Health Check Service”.
Microsoft Threat Intelligence recently linked the exploitation of this vulnerability to the “Lace Tempest” group. This group is notorious for carrying out ransomware operations and running the extortion site known as Cl0p.
The following are the key features of this vulnerability:
- CVE Identifier: CVE-2023-34362.
- Publication Date: 31/05/2023.
- Affected Software: MOVEit Transfer.
- Affected Versions:
- Versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)
The vendor has released an official advisory recommending the following steps to mitigate the vulnerability CVE-2023-34362:
1. Disable all HTTP and HTTPS traffic within the MOVEit Transfer environment.
2. Remove unauthorized files and user accounts, and reset credentials for service accounts.
3. Apply the necessary security patches:
|Affected Version||Fixed version||Documentation|
|MOVEit Transfer 2023.0.0 (15.0)||MOVEit Transfer 2023.0.1||MOVEit 2023 Upgrade Documentation|
|MOVEit Transfer 2022.1.x (14.1)||MOVEit Transfer 2022.1.5||MOVEit 2022 Upgrade Documentation|
|MOVEit Transfer 2022.0.x (14.0)||MOVEit Transfer 2022.0.4||MOVEit 2022 Upgrade Documentation|
|MOVEit Transfer 2021.1.x (13.1)||MOVEit Transfer 2021.1.4||MOVEit 2021 Upgrade Documentation|
|MOVEit Transfer 2021.0.x (13.0)||MOVEit Transfer 2021.0.6||MOVEit 2021 Upgrade Documentation|
|MOVEit Transfer 2020.1.x (12.1)||Special Patch Available||See KB 000234559|
|MOVEit Transfer 2020.0.x (12.0) or older||MUST upgrade to a supported version||See MOVEit Transfer Upgrade and Migration Guide
|MOVEit Cloud||Prod: 22.214.171.124 or 126.96.36.199 Test: 188.8.131.52||All MOVEit Cloud systems are fully patched at this time. Cloud Status Page|
4. Verify that unauthorized files and accounts have been removed.
5. Re-enable HTTP and HTTPS traffic.
6. Implement continuous monitoring of the network, endpoints, and logs for Indicators of Compromise (IoC). The official advisory from the vendor provides a list of IoCs for reference.
Detection of the Vulnerability
- Inspect the directories “C:\MOVEitTransfer\wwwroot” and “D:\MOVEitDMZ\wwwroot”, or similar, to locate recent suspicious files. Pay special attention to files such as “human2.aspx” or “App_Web_[RANDOM].dll” created within a similar time frame.
- Check for possible precompiled DLLs in “C:\Windows\Temp”, such as “erymbsqv\erymbsqv.dll”.
- Review MOVEit or firewall logs for large outbound network transfers from the MOVEit environment.
- Examine the MOVEit user database for a user named “Health Check Service”.
- Analyze active sessions in the MOVEit database for the user “Health Check Service” (note that the discovered backdoor may alter the timestamp of the most recent login, making it an unreliable field for inspection).
- Look for web traffic containing any of the following request or response headers: “X-siLock-Comment,” “X-siLock-Step1,” “X-siLock-Step2,” or “X-siLock-Step3.”
- Florian Ross has developed a YARA rule to detect known webshell backdoors in ASPX commonly used in this attack.
- Examine the firewall and IIS logs of MOVEit for requests originating from any of the IP addresses mentioned in the provided IoCs by the vendor.
As part of their emerging vulnerabilities service, Tarlogic proactively monitors their clients’ perimeter to promptly inform, detect, and notify the presence of this vulnerability, as well as other critical threats that could have a severe impact on asset security.