Quantcast
Channel: Blogs Feed
Viewing all articles
Browse latest Browse all 1472

Coverage Advisory for CVE-2023-34362 MOVEit Transfer Vulnerabilitiy

$
0
0
Background: MOVEit is a managed file transfer software produced by Progress(formerly Ipswitch). The MOVEit encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics and failover options. The software has been heavily used in the healthcare industry as well as thousands of IT departments in financial services and government sectors. On 31-May-2023, Progress Software disclosed a critical vulnerability CVE-2023-34362 in the MOVEit application. This vulnerability, upon successful exploitation, could allow an unauthenticated attacker to gain access to the MOVEit Transfer's database and allow them to infer information about the internals of the database and alter or delete their elements. What is the issue? MOVEit is typically used for file transfer operations by organizations and has a web application that supports different types of databases like MySQL, Microsoft SQL Server, and Azure SQL. The MOVEit vulnerability allows adversaries to implant a remote web shell on the victim's machine. As shown in the diagram above, an adversary performs the following steps to implant a malicious webshell. App check - GET / - on port 443 Health check - POST /guestaccess.aspx - on port 443 Check token - POST /api/v1/token - on port 443 Check folder - GET /api/v1/folders - on port 443 Upload file - POST /api/v1/folders/[PATH]/files uploadType=resumable - on port 443 Post data - POST /machine2.aspx on port 80 Perform SQL injection - POST /moveitisapi/moveitisapi.dll - on port 443 Prepare session - POST /guestaccess.aspx - on port 443 Upload file - PUT /api/v1/folders/[PATH]/files uploadType=resumable&fileId=[FILEID] - on port 443 Post data - /machine2.aspx - on port 80 Access WebShell - GET /human2.aspx - on port 443 The name of the malicious file, human2.aspx, is intentionally used for webshell to masquerade the original, non malicious file, human.aspx, which typically comes with the installations of MOVEit applications. This ASPX file stages an SQL database account to be used for further access. Once the malicious webshell is installed, it creates a random 36 characters long password which later is used for the authentication purpose. The adversary communicates with the webshell over HTTP protocol with specially crafted HTTP request with a custom header in it, named “X-siLock-Comment”. The value of the custom header contains the password generated during the installation of the malicious webshell. The webshell would return a 404 not found response if the incoming HTTP request doesn’t contain the custom header. Once an adversary successfully authenticates, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an adversary may be able to build the understanding about the structure and contents of the database, and also execute SQL statements that can alter or delete database elements. The moveitisapi.dll is used to perform SQL injection when requested with specific headers, and guestaccess.aspx is used to prepare a session and extract CSRF tokens and other field values to perform further actions. It connects to the database and offers data exfil functionality based on a provided X-siLock-Step1 header. As of 7 June 2023, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet. In recent years, File transfer solutions have been a popular target for ransomware groups. As per an advisory published by the Cybersecurity And Infrastructure Security Agency, CISA, threat actors groups like the CL0P Ransomware Gang reportedly started exploiting the same vulnerability and leveraged it to implant a remote web shell on the victim's machine. The Internet facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from the victim's machine and underlying MOVEit Transfer databases. Are Zscaler products affected? Zscaler does not utilize Progress Software's MOVEit product. The Zscaler platform is not susceptible to this vulnerability. The trust post is published here. Affected products: The details regarding the affected versions of MOVEit Transfer are present here. As per Progress Software, this vulnerability affects all versions of MOVEit Transfer. However, it doesn’t affect MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics and MOVEit Freely. Mitigations: The Progress Software also released a security advisory mentioning the details related to the patch with the fix and recommended remediations and mitigation steps. If one is using MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), then it is strongly recommended to upgrade them to the versions in which this vulnerability is patched, as per the details given here. Investigation Tips: The IIS access logs can be checked for indicators of compromise on the host in question. At the endpoint, presence of files named human2.aspx or _human2.aspx in \MOVEitTransfer\wwwroot\ folder. Based on known cases of exploitation so far, compromise would involve incoming requests to the following endpoints (in this order) guestaccess.aspx, followed by moveitisapi.dll, followed by human2.aspx or _human2.aspx In case header values are logged, requests/responses with the following HTTP header names are confirmed indicators of compromise : X-siLock-Comment X-siLock-Step1 X-siLock-Step2 X-siLock-Step3 Locate MOVEit root directory from HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->WebBaseDir Locate MOVEit log file location HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->LogsBaseDir Best Practices/Guidelines To follow: Limit the impact from a potential compromise by restricting lateral movement with identity-based micro-segmentation (Zscaler Workload Segmentation) and a Zero Trust architecture. Safeguard crown jewel applications by limiting lateral movement using Zscaler Private Access, especially with application security modules turned on. Route all server traffic through Zscaler Private Access with additional application security module enabled and Zscaler Internet Access, which will provide the right visibility to identify and stop malicious activity from compromised systems/servers. Restrict traffic to the critical infrastructure from the allowed list of known-good destinations. Ensure you are inspecting all SSL traffic. Turn on Advanced Threat Protection to block all known command-and-control domains. This will provide additional protection in case the adversary exploits this vulnerability to implant malware. Extend command-and-control protection to all ports and protocols with the Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations. Again, this will provide additional protection in case if the adversary exploits this vulnerability to implant malware. Use Advanced Cloud Sandbox to prevent unknown malware delivered as part of a second stage payload. Zscaler Coverage: Zscaler’s ThreatLabZ team has deployed protection as mentioned below: Zscaler Advanced Threat Protection Signatures: WIN32.EXPLOIT.CVE-2023-34362 APP.EXPLOIT.CVE-2023-34362 HTML.EXPLOIT.CVE-2023-34362 Zscaler Private Access AppProtection: MOVEit Transfer moveitisapi SQL Injection (CVE-2023-34362): 6000662 Details related to the threat signatures released by Zscaler can be found in the Zscaler Threat Library. Additional References: https://www.cisa.gov/news-events/alerts/2023/06/07/cisa-and-fbi-release-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability https://nvd.nist.gov/vuln/detail/CVE-2023-34362 https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ https://www.techrepublic.com/article/zero-day-moveit-vulnerability/ https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

Viewing all articles
Browse latest Browse all 1472

Trending Articles