Cyble Global Sensor Intelligence (CGSI) observes Exploitation Attempts
On May 31st, 2023, the official vendor Progress Software released a security advisory regarding SQL injection vulnerability in MOVEit Transfer.
MOVEit Transfer is a secure Managed File Transfer (MFT) used by multiple organizations dealing with sensitive data. Lately, it was observed that the Clop Ransomware group exploited the file transfer service GoAnywhere to extort data from multiple organizations, which indicates that Threat Actors(TAs) have a keen interest in the vulnerable internet-exposed assets that might be utilized for espionage, data theft, and ransomware purposes.
Shodan indicates that there are more than 2500 publicly accessible instances of MOVEit exposed on the internet, as shown in Figure 1. Most exposures are from the United States, United Kingdom, and Germany region.
Technical Details
The official advisory states the following:
The vulnerability could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
As all MOVEit Transfer versions are affected by the vulnerability, the vendor emphasizes urgent patching and following the mitigation procedures.
| Affected Product | Fixed Version |
| MOVEit Transfer 2023.0.0 | MOVEit Transfer 2023.0.1 |
| MOVEit Transfer 2022.1.x | MOVEit Transfer 2022.1.5 |
| MOVEit Transfer 2022.0.x | MOVEit Transfer 2022.0.4 |
| MOVEit Transfer 2021.1.x | MOVEit Transfer 2021.1.4 |
| MOVEit Transfer 2021.0.x | MOVEit Transfer 2021.0.6 |
Cyble Global Sensor Intelligence (CGSI) Insights
On June 1st, 2023, the CGSI network observed human2.aspx file (Figure -2), which is one of the indicators as per vendor. The backdoor known as “human2.aspx” is reportedly uploaded during the attack.
Analysis of human2.aspx
First, the backdoor malicious script connects to the MOVEit database using ConnectDB() function, as shown below.
After connecting the MOVEit database, the script calls page_load() function, which checks the value of the “X-siLock-Comment” header. If the value does not match a specific string (REDACTEDREDACTEDREDACTEDREDACTED), it sets the response status code to 404 and returns. The below figure shows the code snippet of page_load() function.
The script then proceeds to handle different scenarios based on the value of the “X-siLock-Step1” header. If the value is “-1”, it executes three SQL queries and retrieves data from MOVEit database, saves it as a CSV formatted string, and compresses it using GZip.
The SQL queries retrieve the specific data from the MOVEit database.
Query 1: Fetches file-related information from the tables `files`, `folders`, and `users`. It retrieves the file ID, institution ID, folder ID, file size, file name, uploader’s login name, folder path, and folder name.
Query 2: Retrieves folder-related details from the `folders` and `users` tables. It retrieves the folder ID, institution ID, folder name, folder owner’s login name, and folder path.
Query3: Retrieves institution-related information from the `institutions` table. It retrieves the institution ID, institution name, and institution’s short name.
The below figure shows the code snippet of the function, which executes three SQL queries that fetch data from multiple tables.
If the value of “X-siLock-Step1” is “-2”, it executes a query to delete a specific user with the name ‘Health Check Service’ as shown below.
For any other value of “X-siLock-Step1”, the script assumes that file and folder IDs are provided in the headers (“X-siLock-Step2” and “X-siLock-Step3” respectively). The script then adds an administrative user named “Health Check Service” into the table and inserts an active session for the newly created user, as shown below.
Conclusion
Managed File Transfer (MFT) services have become a favored target for ransomware groups due to their crucial role in securely transferring sensitive data within organizations. Ransomware attacks aim to exploit vulnerabilities in MFT systems to gain unauthorized access to valuable files and then encrypt them, effectively holding the data hostage until a ransom is paid.
MFT solutions are particularly attractive to these cybercriminals because they often handle large volumes of critical information, such as financial records, customer data, and intellectual property. The potential impact of such an attack is significant, as it can disrupt business operations, compromise confidential information, and lead to substantial financial and reputational damage.
As per our analysis, multiple state and private agencies have their MOVEit Transfer exposed over the internet. In the near future, ransomware groups might utilize the vulnerability to target their victims, as we observe active exploitation of the vulnerability.
Recommendation
- Disabling all HTTP and HTTPs traffic to your MOVEit Transfer environment.
- Modifying firewall rules to deny HTTP and HTTPS traffic towards affetcted product on port 80 and 443.
- Delete Unauthorized Files and User Accounts
- Delete any instances of the human2.aspx and .cmdline script files.
- On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
- On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
- Remove any unauthorized user accounts.
- Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.
- Reset service account credentials for affected systems and MOVEit Service Account.
- Implement proper network segmentation to prevent attackers to perform lateral movement and to minimize exposure of critical assets over the internet.
- Keep critical assets behind properly configured and updated firewall.
- Keeping software’s, firmware, applications updated with the recent patches and mitigations released by official vendor is necessary to prevent attackers in exploiting vulnerabilities.
- Continuous monitoring and logging can help in detecting network anomalies early.
- Implement Multi Factor Authentication wherever possible.
- Keep a track of advisories and alerts issued by vendors and state authorities.
- Cyber security awareness training programs for employees within organization.
Indicators of Compromise
| Indicators | Indicator’s type | Description |
| 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621 | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c | SHA256 Hash | Human2.aspx Webshell used during exploitation. |
| 5[.]252[.]189[.]0/24 | CIDR | Attacker command and control |
| 5[.]252[.]190[.]0/24 | CIDR | Attacker command and control |
| 5[.]252[.]191[.]0/24 | CIDR | Attacker command and control |
| 198[.]27[.]75[.]110 | IP Address | Attacker command and control |
| 209[.]222[.]103[.]170 | IP Address | Attacker command and control |
| 84[.]234[.]96[.]104 | IP Address | Attacker command and control |
| 167[.]71[.]229[.]198 | IP Address | Scanning attempt observed |
| 138[.]197[.]24[.]249 | IP Address | Scanning attempt observed |
| 139[.]59[.]37[.]187 | IP Address | Scanning attempt observed |
| 167[.]172[.]89[.]248 | IP Address | Scanning attempt observed |
| 170[.]64[.]134[.]89 | IP Address | Scanning attempt observed |
| human2[.]aspx | Filename | Webshell used during exploitation |
| human2[.]aspx[.]lnk | Filename | Webshell used during exploitation |
| POST /moveitisapi/moveitisapi[.]dll | HTTP POST | NA |
| POST /guestaccess[.]aspx | HTTP POST | NA |
| POST /api/v1/folders/[random]/files | HTTP POST | NA |
| human2[.]aspx | Filename | Webshell used during exploitation |
Reference
https://digital.nhs.uk/cyber-alerts/2023/cc-4326https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023?
Critical Vulnerability in Progress MOVEit Transfer: Technical Analysis and Recommendations
