TL;DR : We’ve observed MOVEit Transfer servers in multiple customer environments that have been actively exploited by a new vulnerability. We have observed successful compromises related to this vulnerability in our customer base. This vulnerability requires immediate action to prevent unauthorized access and privilege escalation.

 

The details:
Progress Software recently disclosed a vulnerability (CVE-2023-34362) affecting all MOVEit Transfer versions. Threat actors are actively exploiting the vulnerability to gain unauthorized access.

In the exploitation, we observed that the threat actor deployed a webshell consistently named “human2.aspx”. The human2.aspx webshell reportedly creates a MOVEit Transfer user account session with the display name “Health Check Service”. We recommend searching for this user account and for any other new and unauthorized user accounts, and removing them if you cannot confirm their legitimacy. If signs of compromise exist, we recommend reviewing MOVEit Transfer logs for indicators of exfiltration or uploading the logs for Expel to review.

 

Why we are telling you:

Exploitation of this vulnerability provides an attacker access to the network and has been reported as resulting in data exfiltration and ransomware deployment. Via a SQL injection vulnerability in the MOVEit Transfer web application, an un-authenticated attacker could gain unauthorized access to MOVEit Transfer's database, allowing the attacker to modify or access database elements.

 

What we’ve done and are doing:

  • Performed preliminary investigation to identify scope and compromised hosts
  • Deployed MOVEit IOC rule to surface MOVEit related alerts and IOCs to high
  • Deployed MOVEit IOC BOLO to surface all vendor alerts with MOVEit related file hashes
  • Because Expel integrates signal from a panoply of security vendors, we are able to review the detections that the community develops for this threat. Expel’s detection and response team is continuing to examine this threat to see what detection and hunting logic we can apply to detect this activity with acceptable fidelity.

 

Immediate recommendations:

  • Apply patches to MOVEit Transfer applications. We recommend implementing the applicable patches and updates as soon as possible.
  • If a software installation is end of life, no patch may be available but the software is still vulnerable. Installations that cannot be patched should not be exposed to the internet.
    • Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. Note that doing so will limit and/or stop MOVEit Transfer functionality until reenabled.
  • Delete Unauthorized Files and User Accounts
    • Delete any instances of the human2.aspx and .cmdline script files.
    • On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
    • On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
    • Remove any unauthorized user accounts. See Progress MOVEit Users Documentation article.
    • Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs guide.
  • Reset Credentials
    • Reset service account credentials for affected systems and MOVEit Service Account
    • If you use Azure Storage in conjunction with MOVEit Transfer, rotate Azure Storage keys.

 

Strategic recommendations:

  • Use vulnerability scanner plugins to identify unpatched MOVEit instances.
  • Update remote access policies to only allow inbound connections from known and trusted IP addresses. For more information on restricting remote access, please refer to SysAdmin Remote Access Rules and Security Policies Remote Access guide.
  • Allow inbound access only from trusted entities (e.g., using certificate-based access control).
  • Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen, or compromised. To enable MFA, please refer to the MOVEit Transfer Multi-factor Authentication Documentation.

More Info/References: