Privacy policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content.
You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Managing your cookies

Our website uses cookies. You have full control over what you want to activate. You can accept the cookies by clicking on the “Accept all cookies” button or customize your choices by selecting the cookies you want to activate. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button.

Necessary cookies

These are essential for the user navigation and allow to give access to certain functionalities such as secured zones accesses. Without these cookies, it won’t be possible to provide the service.
Matomo on premise

Marketing cookies

These cookies are used to deliver advertisements more relevant for you, limit the number of times you see an advertisement; help measure the effectiveness of the advertising campaign; and understand people’s behavior after they view an advertisement.
Adobe Privacy policy | Marketo Privacy Policy | MRP Privacy Policy | AccountInsight Privacy Policy | Triblio Privacy Policy

Social media cookies

These cookies are used to measure the effectiveness of social media campaigns.
LinkedIn Policy

Our website uses cookies to give you the most optimal experience online by: measuring our audience, understanding how our webpages are viewed and improving consequently the way our website works, providing you with relevant and personalized marketing content. You can also decline all non-necessary cookies by clicking on the “Decline all cookies” button. Please find more information on our use of cookies and how to withdraw at any time your consent on our privacy policy.

Skip to main content

Detailed analysis of the Zero- Day vulnerability in MOVEit transfer

Key Takeaways

  • •A common feature among all exploited devices is a webshell named ‘human2.aspx’ located in the ‘C:\MOVEitTransfer\wwwroot’ public HTML folder. Multiple IP addresses have been associated with the attacks, and the attacks reportedly started on May 27th.
  • The exploitation method strongly resembles the mass exploitations of GoAnywhere MFT and Accellion FTA servers in January 2023 and December 2020 respectively. These previous incidents were linked to the Clop ransomware gang, who exploited managed file transfer platforms for data theft and extortion.
  • The threat actor Lace Tempest has been officially linked to the exploitation of a critical flaw in Progress Software’s MOVEit Transfer application. Their apparent collaboration with the cl0p ransomware group, as evidenced by ransom notes found on compromised hosts, reinforces the urgent need for users to promptly apply security patches. The PoC exploit code for MOVEit Transfer was released by Horizon3 company.
  • On June 15th, a third vulnerability (CVE-2023-35708) in Progress Software’s MOVEit Transfer was found. This vulnerability could allow users to gain elevated rights and potentially unapproved access to the environment. The vulnerability’s specific characteristics that enable worming are unknown. In addition, no evidence of an exploit of the vulnerability has been found by researchers.

 

Recommendations

  • Immediate measures include blocking external traffic to ports 80 and 443, inspecting the MOVEit Transfer folder for unexpected files, and conducting thorough forensic examinations for any signs of compromise. Organizations are urged to prepare for potential extortion and public disclosure of stolen A patch is expected to be released by Progress Software Corporation to address the vulnerability and should be applied promptly upon its release.
  • Search for the subsequent potential indications of unauthorized intrusion over the past 30 days e., at least emergence of unexpected files in the c:\MOVEitTransfer\wwwroot\ directory across all your MOVEit Transfer instances (back-ups included), unanticipated and/or extensive file downloads.
  • The patch is already published by a vendor.

This vulnerability needs emergency patching.

Introduction

In layman’s terms, we’ve been investigating a serious cybersecurity issue with a popular software called MOVEit Transfer. This software has a security flaw, known as a ‘zero-day vulnerability’, which is currently being exploited by hackers to steal data from many organizations. The exact identity of these threat actors is unknown as no extortion attempts have been made so far. The nature of these cyberattacks closely resembles previous large-scale attacks in 2020 and 2023 on similar types of software. These past incidents were attributed to a criminal group known as the Clop ransomware gang.

A new vulnerability affecting Progress Software’s MOVEit Transfer application was disclosed on June 15th as the Cl0p cybercrime outfit used extortion against the affected businesses.

 

Technical Details

Around 2,500 exposed MOVEit servers, mainly in the US, are at risk. A common feature found across all exploited devices is a webshell named ‘human2.asp’, located in the ‘c:\MOVEit Transfer\wwwroot’ public HTML folder. This webshell first checks if the inbound request contains a specific password-like value in the ‘X-siLock-Comment’ header, returning a 404 “Not Found” error if the header isn’t correctly populated.

Once accessed with the correct password, the webshell executes commands based on the values of the ‘X-siLock-Step1’, ‘X-siLock-Step1’, and ‘X-siLock-Step3’ request headers. This enables the threat actor to interact with MOVEit’s MySQL server and perform various actions, including retrieving file details, manipulating user entries, acquiring Azure Blob Storage account configuration, and downloading files.

Randomly named ‘App_Web_<random>.dll’ files, such as ‘App_Web_feevjhtu.dll’, have also been reported in the aftermath of breaches, in addition to the typical presence of one such file. The vulnerability can be found as CVE-2023-34362.

A new vulnerability, designated CVE-2023-35708, also relates to a SQL injection flaw that could result in elevated privileges and potential unauthorised access to the environment. A SQL injection vulnerability has been found in the MOVEit Transfer online application, which might let an unauthenticated attacker access the MOVEit Transfer database without authorization.
An attacker could modify and reveal the content of the MOVEit database by sending a specially crafted payload to a MOVEit Transfer application endpoint. However, researchers have not come across any proof that the vulnerability has been exploited.

 

Affected Products

  • MOVEit Transfer 2023.0.0
  • MOVEit Transfer 1.x
  • MOVEit Transfer 2022.0.x
  • MOVEit Transfer 1.x
  • MOVEit Transfer 2021.0.x
  • MOVEit Transfer 2023.0.1, 2023.0.2 (15.0.1, 15.0.2)
  • MOVEit Transfer 2022.1.5, 2022.1.6 (14.1.5, 14.1.6)
  • MOVEit Transfer 2022.0.4, 2022.0.5 (14.0.4, 14.0.5)
  • MOVEit Transfer 2021.1.4, 2021.1.5 (13.1.4, 13.1.5)
  • MOVEit Transfer 2021.0.6, 2021.0.7 (13.0.6, 13.0.7)
  • MOVEit Transfer 2020.1.6 (12.1.6) or later
  • MOVEit Transfer 2020.0.x (12.0) or older

 

Available Vendor Patches

Progress Software Corporation already published the patch. The files are accessible at below link:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

 

Available Mitigations

Step 1: Suspend all HTTP and HTTPS activity directed to your MOVEit Transfer environment till patch is released.

More precisely:

  • Adjust firewall rules to refuse HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and
  • Keep in mind, until HTTP and HTTPS traffic is reinstated:
    • Users will be incapable of signing in to the MOVEit Transfer web UI
    • MOVEit Automation tasks that use the native MOVEit Transfer host will become inactive
    • REST, Java and .NET APIs will be non-operational
    • The MOVEit Transfer plugin for Outlook will cease to work
    • However, SFTP and FTP/s protocols will continue functioning normally Administrators will retain access to MOVEit Transfer by utilizing a remote desktop connection to the Windows device and then navigating to https://localhost/.

 

Step 2: Inspect, Remove and Reset

2.1 Delete Unauthorized Files and USer Profiles

  • Search for and remove any instances of the ‘human2.aspx’ and ‘cmdline’ script files;
  • Check the ‘C:\MOVEitTransfer\wwwroot’ directory on the MOVEit Transfer server for any newly created files;
  • Search for new files created in the ‘C:\Windows\TEMP[random]’ directory with a ‘.cmdline’ file extension on the MOVEit Transfer server;
  • Remove any unauthorized user profiles;
  • Investigate logs for unanticipated file downloads from unrecognized IPs or a large quantity of files downloaded.

2.2 Reset Passwords

  • Reset the service account passwords for affected systems as well as the MOVEit Service Account.

Use the IoC’s below to check for potential signs of compromise in the environment.

 

Step 3: Apply the Patch

This vulnerability needs emergency patching.

Attribution

The critical flaw in Progress Software’s MOVEit Transfer application is officially attributed to Lace Tempest, a threat actor tracked by Microsoft. Following exploitation, the threat actor typically deploys a web shell capable of data exfiltration.
Lace Tempest, alternatively known as Storm-0950, has affiliations with other notable groups, such as FIN11, TA505, and Evil Corp, and operates the Cl0p extortion site. The group’s past actions demonstrate a consistent pattern of exploiting zero-day vulnerabilities, including a recent severe bug in PaperCut servers, to steal data and extort victims.
Activity related to this threat actor is also tracked by Google-owned Mandiant under the label UNC4857, with the web shell identified as LEMURLOOT, and noted broad tactical connections with FIN11.
Public sources indicate collaboration between the threat actor, Lace Tempest, and the cl0p ransomware group. Evidence for this collaboration is based on ransom notes found on compromised hosts, which unambiguously link to the cl0p group.

Indicators of compromise

The standard path to detect this software is C:\MOVEitTransfer\webroot and the presence of the moveitisapi.dll library.

File path:

C:\MOVEitTransfer\wwwroot\human2.aspx

(?i)\\MOVEit Transfer\\wwwroot\\[^\\]{1,40}\.(zip|rar|7z|exe|ps1|bat);70 (regex)

 

Folder path:

C:\Windows\TEMP\[random]\[random].cmdline

(Script that is executed to create the human2.aspx file. The folder path and filename are randomized.)

 

POST requests:

POST /moveitisapi/moveitisapi.dll

POST /guestaccess.aspx

POST /api/v1/folders/[random]/files

 

User account creation:

Health Check Service

(“Webshell creates a MOVEit Transfer user account session with the display name ‘Health Check Service’.”)

 

IP Addresses:

209.97.137[.]33
5.252.191[.]0/24
148.113.152[.]144
89.39.105[.]108
5.252.190[.]115
5.252.190[.]208
209.97.137[.]33
5.252.189[.]0/24
5.252.190[.]0/24
198.27.75[.]110
209.222.103[.]170
84.234.96[.]104

IP Addresses related with high confidence to Mass Scanners:
146.190.166[.]168
138.68.153[.]47
138.197.152[.]201

Side note:
The following addresses have been identified as instances of the mass scanner zGrab, which has a high probability of being treated as a False Positive. During various DFIR (Digital Forensics and Incident Response) actions, it may have been incorrectly assigned as an IoC directly related to the campaign, as its full-scale internet scanning makes it highly active in logs.

SHA256 Hashes (related to ‘human2.aspx’ filename on VirusTotal):

5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff 0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495
348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d
387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a
3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409
c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4
fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f
702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead 9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195 b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272 6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d 48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a 2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5 e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e

 

SHA256 Hashes (‘human2.aspx’ webshell used during exploitation as per vendor):

0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9
110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286
1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2
2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59
58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166
98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8
a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986
b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03
cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621
ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c

Sigma rule for File Creation detection: https://github.com/SigmaHQ/sigma/pull/4281/files#diff- 57f376f5bc911cab912a22bf4e18faf321a8608d9ce72da7e121a8ed48238d21

 

 

Proof of Concept

Security researchers from Horizon3 released PoC for exploitation of MOVEit Transfer (CVE-2023-34362) – https://github.com/horizon3ai/CVE-2023-34362. The company (Horizone3) summarizes its publication as follows: “This POC abuses an SQL injection to obtain a sysadmin API access token and then use that access to abuse a deserialization call to obtain remote code execution. This POC needs to reach out to an Identity Provider endpoint which hosts proper RS256 certificates used to forge arbitrary user tokens – by default this POC uses our IDP endpoint hosted in AWS. By default, the exploit will write a file to C:\Windows\Temp\message.txt. Alternative payloads can be generated by using the
ysoserial.net project.”
It is important to note that publicly available PoC can motivate other threat actors to launch their own campaigns and hence increase the number of attacks.

 

 

References

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited- in-data-theft-attacks/

https://www.reddit.com/r/msp/comments/13xjs1y/tracking_emerging_moveit_transfer_critical/

https://thehackernews.com/2023/06/microsoft-lace-tempest-hackers-behind.html

https://github.com/horizon3ai/CVE-2023-34362 https://nvd.nist.gov/vuln/detail/CVE-2023-34362

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023

https://thehackernews.com/2023/06/third-flaw-uncovered-in-moveit-transfer.html

List of changes

Version Date Description
1.0 2023-06-01 Initial Version
2.0 2023-06-02 Updated Version
3.0 2023-06-07 Updated Version
4.0 2023-06-14 Updated Version
5.0 2023-06-19 Updated Version

 

Glossary of terms

POC Proof of Concept
TI Threat Intelligence
TLP Traffic Light Protocol
Workarounds Refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update.
Updated on: June, 28th

By Eviden Threat Intelligence team

Follow or contact:

Share this article

Follow us on

Related links

Protecting your business to face cybersecurity challenges
Atos Managed Security Services – Advanced Detection and Response
Security Operation Center, SOC