Reported widely in the media, the recent MOVEit Transfer zero-day vulnerability has been mass-exploited for data theft attacks. In this article we provide our review of the vulnerability and remediation steps for organisations who may be impacted.
Summary
- Microsoft has linked the Clop ransomware gang to recent attacks that have exploited a zero-day vulnerability in the MOVEit Transfer file transfer software - tracked as CVE-2023-34362 - to steal data from several notable organizations.
- Microsoft is attributing these attacks to Lace Tempest, a criminal group known for carrying-out Clop ransomware operations and running the Clop extortion site.
- The threat actors utilized the MOVEit Transfer vulnerability to drop specially crafted webshells on servers. This allowed them to download files, retrieve lists of files stored on servers, and obtain sensitive information relating to the configuration of Azure Blog Storage accounts.
Remediation
We advise that organisations block external traffic to ports 80 and 443 on their MOVEit Transfer server. This will prevent external access to the web UI, prevent some MOVEit Automation tasks from working, block APIs, and prevent the Microsoft Outlook MOVEit Transfer plugin from running. This will not prevent SFTP and FTP/s protocols from being used to transfer files.
We also recommend checking the 'C:\MOVEit Transfer\wwwroot\' folder for unexpected files, including backups or large file downloads. This may indicate that a threat actor has exploited the vulnerability or are in the process of doing so.
Until a patch is released for your MOVEit Transfer version, it is strongly advised that organisations shut down any MOVEit Transfer-related services and perform a thorough investigation to identify any signs of a potential compromise.
Below is the current list (7.06.23) of MOVEit Transfer versions that have a patch available:
Affected Version: MOVEit Transfer 2023.0.0 (15.0)
Fixed version: MOVEit Transfer 2023.0.1
Documentation: MOVEit 2023 Upgrade Documentation
Affected Version: MOVEit Transfer 2022.1.x (14.1)
Fixed version: MOVEit Transfer 2022.1.5
Documentation: MOVEit 2022 Upgrade Documentation
Affected Version: MOVEit Transfer 2022.0.x (14.0)
Fixed version: MOVEit Transfer 2022.0.4
Documentation: MOVEit 2022 Upgrade Documentation
Affected Version: MOVEit Transfer 2021.1.x (13.1)
Fixed version: MOVEit Transfer 2021.1.4
Documentation: MOVEit 2021 Upgrade Documentation
Affected Version: MOVEit Transfer 2021.0.x (13.0)
Fixed version: MOVEit Transfer 2021.0.6
Documentation: MOVEit 2021 Upgrade Documentation
Affected Version: MOVEit Transfer 2020.1.x (12.1)
Fixed version: Special Patch Available
Documentation: See KB 000234559
Affected Version: MOVEit Transfer 2020.0.x (12.0) or older
Fixed version: MUST upgrade to a supported version
Documentation: See MOVEit Transfer Upgrade and Migration Guide
Affected Version: MOVEit Cloud
Fixed version: MOVEit Transfer 14.1.4.94; MOVEit Transfer 14.0.3.42
Documentation: All MOVEit Cloud systems are fully patched at this time. Cloud Status Page
FAQs
What are the indicators of compromise?
Files with a .aspx extension that have been created on the system recently such as ‘human2.aspx.’ and ‘guestaccess.aspx’.
- This is the webshell file which gives the threat actor access to the system to execute commands and continue their attack.
The presence of scripts of unknown origin.
- All file extensions are in play.
The presence of new files created in:
- C:\MOVEitTransfer\wwwroot\
The presence of DLL files under C:\Windows\Microsoft. NET\Framework64\[version]\Temporary ASP. NET Files\root\ and all subfolders that are not part of the MOVEit Transfer installation.
What data should be preserved for triage?
Preferred:
- A full disk image from the exploited system created with FTK or an upload of the exploited servers virtual hard drive file (VHDX, VMDK, etc).
- Any firewall or web application firewall logs IF the firewall is configured to handle traffic to and from the exploited system.
- A full disk image of the MOVEit Transfer database server.
Minimum:
- IIS logs from the exploited system (these show the malicious connections made during the exploitation process).
- A velociraptor or surge collection.
- A copy of C:\MOVEit and all subfolders.
- A copy of the MOVEit Transfer database (commonly named moveittransfer or moveitdmz).
How does the exploit work?
The threat actor finds a publicly accessible server running a vulnerable version of the MOVEit Transfer software and sends the exploit.
- At the time of this analysis, proof of concept code showing how the exploit is performed is not yet available.
- At this point in time, it is believed to be mostly SQL injection
The exploit will create an aspx webshell file on the system.
The threat actor will connect to their aspx webshell file, connect to the MOVEit Transfer database, and execute commands to exfiltrate files.
What is the motive of the attack?
To replay previously executed legitimate MOVEit Transfer file transfer jobs, but reroute the files to a threat actor controlled location (commonly cloud hosted infrastructure in Azure, AWS, Alicloud, or MEGA).
What types of data are targeted?
Any file and folder that has been transferred using MOVEit Transfer can be targeted so long as the file or folder still resides in the same location as when it was legitimately transferred in the past.
Can they move to other systems?
With time and materials, yes. The exploit itself does not give them the permissions needed to move around the network and harvest credentials. At present, the threat actor appears to be focusing on a smash and grab exfiltration approach rather than deploying ransomware.
Can you share IOCs?
File: cve-2023-34362-iocs (progress.com)
- The filenames are a better indicator than the file hashes. Each iteration of the webshell file will likely have a different hash.
Is this an automated attack?
The exploitation is automated, but the exfiltration is manual. IF the exploitation has happened recently, there is a possibility that the threat actor has not yet performed exfiltration.
Would a security tool have detected this?
All of this activity is database and application layer.
- It is possible for the following tools to capture the exploit traffic within their logging:
- Web application firewalls
- A file transaction or database transaction monitoring solution such as the Imperva suite
Conventional network tooling and AV cannot detect the exploit at this point in time.
Where is the database?
This is an admin-defined location and is commonly a server other than the one that has been exploited.
What is the investigation methodology?
- Confirm the exploitation of the system by analyzing DLL and ASPX files.
- Confirm through IIS log analysis that the ASPX file was requested and accessed.
- Create a copy of the database to work off.
- Use a tool to open the database.
Determine if there are active sessions.
If there are active sessions, analyze the logs to determine what occurred during the active session. This will tell you what was exfiltrated.
If there are no active sessions, restore the database closer to the time of exploitation and re-assess and then analyze the logs to determine what occurred during the active session. This will tell you what was exfiltrated.
- Using all discoveries, generate a list of files that were exfiltrated.
- Analyze domain controller logs to determine whether there is evidence of additional compromise elsewhere in the environment.
Please contact S-RM if you are concerned about your organisation’s exposure to the MOVEit exploit.
