On May 31, Forescout Research – Vedere Labs uncovered a significant incident where threat actors exploited a critical zero-day vulnerability in the MOVEit Transfer software, which resulted in unauthorized access to and exfiltration of private data, as well as privilege escalation.
MOVEit Transfer is a widely adopted managed file transfer (MFT) solution that enables organizations to securely exchange files with their business partners and customers. The exploited vulnerability has been assigned the identifier CVE-2023-34362.
CVE-2023-34362 is currently being mass exploited, with hundreds of organizations hit simultaneously. Although we could not attribute this particular incident to a specific threat actor with certainty, ongoing exploitation of CVE-2023-34362 has been attributed by CISA, the FBI and other organizations to the Cl0p ransomware group since May 27. The criminal group itself has claimed responsibility for the attacks with an extortion note on their website.
Cl0p is one of the most active ransomware groups and was behind last year’s attack on a UK water utility, among many other critical incidents. The group also exploited another vulnerability in a similar MFT tool in January, claiming 130 victims at that time. Researchers found evidence that the group knew about the MOVEit Transfer vulnerability for almost two years but chose to wait for the right moment to use it in a mass attack.
CVE-2023-34362 is an SQL injection affecting MOVEit Transfer versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5) and 2023.0.1 (15.0.1). The vulnerability allows attackers to manipulate the underlying database and potentially gain unauthorized access. Exploitation of unpatched systems can occur over both HTTP and HTTPS, making all vulnerable instances susceptible to attack.
Fortunately, the software vendor, Progress, promptly addressed this vulnerability and released a patch to mitigate the risk. On June 9, the vendor also released a patch for a second SQL injection vulnerability (CVE is pending) to address concerns of exploit staging. There is no evidence that the second vulnerability has been exploited in the wild.
There are currently more than 2,500 exposed servers running MOVEit Transfer. Seventy-three percent of those are in the U.S., 5% in the UK and 4.5% in Germany, with the remaining 17.5% spread across over 80 other countries. Sixty-eight percent of the servers have a similar configuration, running over HTTPS on port 443 on top of the Microsoft IIS web server. These servers are most often observed in organizations in the healthcare, financial services and government sectors.
Read our full report for further technical details about the webshell used in the attack.
The incident exploiting CVE-2023-34362
The figure below summarizes the incident that we have detected and analyze in the full report. First, the threat actor exploited CVE-2023-34362 on an Internet-facing host running a vulnerable version of MOVEit Transfer. Second, the attacker deployed a webshell named human2.aspx that allowed them to execute commands on the target. Third, the attacker leveraged the webshell to exfiltrate data to a C2 server.
Progress, the MOVEit Transfer vendor, has released immediate mitigation measures to assist in preventing the exploitation of CVE-2023-34362. The table below shows the security patch for each supported version of MOVEit Transfer. Customers on unsupported versions should upgrade to one of the supported fixed versions below.
|Affected Version||Fixed Version|
|MOVEit Transfer 2023.0.0 (15.0)||MOVEit Transfer 2023.0.1|
|MOVEit Transfer 2022.1.x (14.1)||MOVEit Transfer 2022.1.5|
|MOVEit Transfer 2022.0.x (14.0)||MOVEit Transfer 2022.0.4|
|MOVEit Transfer 2021.1.x (13.1)||MOVEit Transfer 2021.1.4|
|MOVEit Transfer 2021.0.x (13.0)||MOVEit Transfer 2021.0.6|
|MOVEit Transfer 2020.1.x (12.1)||Special patch available|
|MOVEit Transfer 2020.0.x (12.0) or older||Must upgrade to a supported version|
|MOVEit Cloud||Prod:126.96.36.199 or 188.8.131.52
Additional recommended mitigation includes:
- Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. For instance, modify firewall rules to deny HTTP and HTTPS traffic towards affected products on port 80 and 443.
- Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. Give special attention to GET requests with the cs_uri_stem=/download parameter. These requests may indicate attempts at file exfiltration, where unauthorized individuals or threat actors are attempting to retrieve sensitive data from the system.
- Delete unauthorized files (such as aspx) and user accounts (such as “Health Check Service”) found on a system.
How Forescout can help
CISA’s first recommended action to mitigate CVE-2023-34362 is to “take an inventory of assets and data, identifying authorized and unauthorized devices and software.” The Forescout Platform can provide such an automatic inventory across all assets on the network.
Beyond building a comprehensive inventory, Forescout’s extended detection and response solution can also help to directly detect and respond to this threat. Forescout XDR can detect the human2.aspx webshell from both EDR and network security logs. The following rules have been added to Forescout XDR to provide holistic detection for this threat:
- CY-IR-1822- Emerging Threats: Potential MOVEit Transfer Web Shell Detected
- CY-IR-1135- PanOS: Suspicious Web Request Detected
- CY-IR-1130- PanOS: Web Vulnerability Scanning Detection
The figures below show a description of the “Suspicious Web Request Detected” or “Web Vulnerability Scanning Detection,” which is triggered when the webshell is detected in the monitored environment.
The following IOCs have been observed either as part of the incident we analyzed or from external public sources.
Download the full threat briefing report for more details on the incident and the deployed payload.