Update: CVE-2023-34362 has been widely exploited in the wild targeting numerous organizations
A newly discovered zero-day vulnerability in MOVEit Transfer has been identified as CVE-2023-34362, marking the second zero-day disclosure within a managed file transfer solution in 2023. According to reports, threat actors have successfully stolen data from multiple organizations by exploiting this vulnerability.
Here’s everything you need to know:
What is CVE-2023-34362?
On May 31, Progress Software Corporation (“Progress Software”) issued an advisory regarding a critical vulnerability found in MOVEit Transfer, a secure software used for managed file transfer (MFT) by various organizations. Following the publication of this advisory, reports have emerged indicating that the security flaw was actively exploited as a zero-day vulnerability.
Managed file transfer solutions are highly targeted by cyber criminals, especially ransomware groups. While the increase in ransomware attacks over the past few years has largely been attributed to the adoption of double-extortion techniques, which involve both data encryption and theft, some new groups have emerged that bypass data encryption entirely. Additionally, existing groups have shifted their focus towards data theft, abandoning data encryption altogether.
CVE-2023-34362 is an SQL injection flaw present in the MOVEit Transfer web application. An unauthorized attacker can exploit this vulnerability by sending a specifically crafted request to a vulnerable instance of MOVEit Transfer. Successful exploitation of the vulnerability grants the attacker access to the underlying MOVEit Transfer instance. Furthermore, depending on the specific database engine in use (such as MySQL, Microsoft SQL Server, or Azure SQL), the attacker may also gain the ability to infer information about the database’s structure and contents.
Progress Software confirmed that both the on-premises and cloud versions of MOVEit Transfer were impacted. In a statement to BleepingComputer, they assured that immediate action was taken, including the temporary suspension of MOVEit Cloud, to safeguard their customers while they assessed the severity of the situation.
Does CVE-2023-34362 affect me?
All MOVEit Transfer versions are affected by this vulnerability, customers on unsupported versions should upgrade to one of the supported fixed versions.
To date, the following products are not susceptible to this SQL Injection Vulnerability in MOVEit Transfer:
- MOVEit Client
- MOVEit Mobile
- MOVEit Add-in for Microsoft Outlook
- MOVEit Automation
- WS_FTP Client
- WS_FTP Server
- MOVEit EZ
- MOVEit Gateway
- MOVEit Analytics
- MOVEit Freely.
As this vulnerability was exploited as a zero-day, MOVEit Transfer customers should view this as a suspected compromise and start the incident response (IR) process. The advisory from Progress Software includes a list of indicators of compromise (IOCs), including a webshell named “human2.aspx” and “human2.aspx.lnk” along with a list of command and control traffic signals that can be used as part of an IR investigation.
The discovery of CVE-2023-34362 in MOVEit marks the second time in 2023 that a zero-day in an MFT solution has been exploited. In February, Fortra (formerly HelpSystems), disclosed a pre-authentication command injection zero-day vulnerability in its GoAnywhere MFT solution to customers as part of a technical bulletin as shared by journalist Brian Krebs.
Has CVE-2023-34362 been actively exploited in the wild?
As of 1st November 2023, CVE-2023-34362 has been widely exploited in the wild, targeting numerous organizations.
Victims of this widely exploited vulnerability include a wide range of organizations, from government agencies to airlines, educational and financial institutions, and healthcare providers. Sensitive data, including credit card numbers, personally identifiable information (PII), and social security numbers (SSNs), was exposed.
One of the notable government agencies affected was the US Department of Justice, where the email addresses of 632,000 employees were accessed. The breach stemmed from the MOVEit Transfer vulnerability and targeted government employee surveys and internal agency tracking codes administered by Westat, a data firm used by the Office of Personnel Management (OPM).
This breach primarily impacted Defense Department employees, including those from the Air Force, the Army, the Army Corps of Engineers, the Office of the Secretary of Defense, and Joint Staff officials.
The attackers responsible for this breach are attributed to the Cl0p ransomware gang, a Russian-speaking cybercrime group. They made the stolen data public, affecting numerous government entities and businesses globally.
In June 2023, it was revealed that approximately 900 US schools were affected by the MOVEit hack, with hackers stealing sensitive student records. In October, Sony confirmed that the data breach, stemming from the MOVEit vulnerability, had impacted 6,791 of its previous and current employees or their family members.
Despite a patch being released for the vulnerability by Progress (formerly Ipswitch), many organizations have yet to apply the patch. The full extent of the damage caused by the May breach is still unknown, but it’s possible that hackers gained access to classified data.
Eric Kron, a security awareness advocate at KnowBe4, emphasized that the Cl0p ransomware group, responsible for exploiting the MOVEit vulnerability, differs from traditional ransomware gangs. They don’t encrypt data or disrupt services, making it challenging for victims to detect breaches. Kron also expressed concerns about the potential use of stolen information by other nation-states or entities for intelligence gathering or financial gain.
How to fix CVE-2023-34362
Progress Software has released the following fixed versions of MOVEit Transfer on-prem:
Fixed MOVEit Transfer Versions:
- 2021.0.6
- 2021.1.4
- 2022.0.4
- 2022.1.5
- 2023.0.1
To prevent the successful exploitation of the SQLi vulnerability in your MOVEit Transfer environment, we strongly advise implementing the following mitigation measures:
2. Disable HTTP and HTTPS traffic to MOVEit Transfer
Specifically, adjust firewall rules to block HTTP and HTTPS traffic on ports 80 and 443 until the patch can be applied.
Important Note: While HTTP and HTTPS traffic is disabled, the following will be affected:
- Users will be unable to log in to the MOVEit Transfer web UI.
- MOVEit Automation tasks utilizing the native MOVEit Transfer host will not function.
- REST, Java, and .NET APIs will be inactive.
- The MOVEit Transfer add-in for Outlook will not work.
SFTP and FTP/s protocols will continue to operate normally and Administrators can still access MOVEit Transfer by using remote desktop to connect to the Windows machine and then accessing https://localhost/.
2. Review, delete, and reset
- Delete Unauthorized Files and User Accounts:
- Remove any occurrences of the human2.aspx file (or any files with a human2 prefix) and .cmdline script files.
- On the MOVEit Transfer server, check for newly created files in the C:\MOVEitTransfer\wwwroot\ directory.
- Search for new files with the .cmdline file extension in the C:\Windows\TEMP\[random]\ directory on the MOVEit Transfer server.
- Look for newly created APP_WEB_[random].dll files in the C:\Windows\Microsoft.NET\Framework64\[version]\Temporary ASP.NET Files\root\[random]\[random]\ directory:
- Stop IIS (execute “iisreset /stop”).
- Delete all APP_WEB_[random].dll files located in C:\Windows\Microsoft.NET\Framework64\[version]\Temporary ASP.NET Files\root\[random]\[random]\.
- Start IIS (execute “iisreset /start”). Note that the web application will rebuild these files correctly upon the next access. It is normal to have at least one APP_WEB_[random].dll file in this directory.
- Remove any unauthorized user accounts according to the guidelines provided in the Progress MOVEit Users Documentation article.
- Review Logs and IIS Logs:
- Thoroughly analyze logs for any unexpected downloads of files from unknown IP addresses or a large number of file downloads. Consult the MOVEit Transfer Logs guide for detailed instructions on log review.
- Examine IIS logs for events involving GET /human2.aspx. A high volume of log entries or entries with large data sizes may indicate unexpected file downloads.
- If applicable, review Azure logs to identify any instances of unauthorized access to Azure Blob Storage Keys. Consider rotating potentially affected keys.
- Reset service account credentials for affected systems and MOVEit Service Account. See KB 000115941.
3. Apply the patch
Refer to the following link for a list of supported versions: https://community.progress.com/s/products/moveit/product-lifecycle.
*Note that the license file can remain the same when applying the patch.
4. Verification
To ensure the successful removal of files and the absence of unauthorized accounts, repeat step 2A. If any compromise indicators are discovered, reset the service account credentials again.
5. Enable all HTTP and HTTPS traffic to MOVEit Transfer
Once the necessary measures have been implemented, re-enable HTTP and HTTPS traffic in your MOVEit Transfer environment.
6. Continuous monitoring
Maintain ongoing monitoring of network, endpoints, and logs to identify any Indicators of Compromise (IoCs) listed in the provided table.
If upgrading to a patched version is currently not possible, Progress Software suggests temporarily disabling HTTP (port 80) and HTTPS traffic (port 443) to MOVEit Transfer as a preventive measure against exploitation.
The MOVEit Transfer detection plugin (ID: 90190) has been updated, and a new version check plugin (ID: 176567) has been introduced. You can find additional plugins to detect this vulnerability by visiting the provided link. The link is designed with a search filter to display all relevant plugin coverage as it becomes available.
Mitigation
If you are unable to implement the recommended mitigation steps mentioned earlier, we strongly advise taking the following security measures to minimize the risk of unauthorized access to your MOVEit Transfer environment:
- Enhance network firewall rules by permitting connections to the MOVEit Transfer infrastructure exclusively from IP addresses that are known and trusted.
- Conduct a thorough review to identify and eliminate any user accounts that are unauthorized. Detailed instructions can be found in the Progress MOVEit Users Documentation.
- Update the remote access policies to allow inbound connections only from IP addresses that are known and trusted. For comprehensive guidance on restricting remote access, please consult the SysAdmin Remote Access Rules and Security Policies Remote Access guide.
- Restrict inbound access solely to trusted entities, for example, by implementing certificate-based access control.
- Activate multi-factor authentication (MFA) to provide an additional layer of security for MOVEit Transfer accounts. MFA helps protect against unauthorized access in situations where a user’s account password is lost, stolen, or compromised. For instructions on enabling MFA, please refer to the MOVEit Transfer Multi-factor Authentication Documentation.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- OWASP Top 10 vulnerabilities 2022: what we learned
- How to fix CVE-2023-32784 in KeePass password manager
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.