X-Industry

Researchers at FortiGuard Labs are aware of a critical zero-day SQL injection vulnerability in the MOVEit Secure Managed File Transfer software (CVE-2023-34362) allegedly exploited by the Cl0p ransomware threat actor.  High-profile government, finance, media, aviation, and healthcare organizations have reportedly been affected, with data exfiltrated and stolen.

Due to its severity, US CISA released an advisory for the vulnerability on 1 June 2023. They also updated the Known Exploited Vulnerabilities catalog on 2 June with CVE-2023-34362.[1]

This article contains information on what you need to know about CVE-2023-34362. For further details, please see the related FortiGuard Labs Outbreak Alert.[2]

What is MOVEit Transfer?  MOVEit Transfer is a commercial secure managed file transfer (MFT) software solution that enables the secure movement of files between organizations and their customers using SFTP, SCP, and HTTP-based uploads.

What is CVE-2023-34362?  MOVEit Transfer is vulnerable to a SQL injection vulnerability that could allow an unauthenticated attacker to access MOVEit Transfer's database.  Structured Query Language (SQL) allows queries and commands to be executed against a relational database.  An injection vulnerability allows an attacker to manipulate one of these queries to exploit a system to retrieve data or make changes.

In this case, an attacker could pull data from the database that would otherwise be secured, execute their own SQL queries, and change and delete data.  This vulnerability affects versions of MOVEit before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) as well as versions using the following engines to host the actual database: MySQL [open-source relational database management system], Microsoft SQL Server [Microsoft on-premises relational database management system], and Azure SQL [Microsoft cloud-based relational database management system]).

Reportedly, a web shell that acts as a backdoor was deployed, and data exfiltration was performed after successfully exploiting the vulnerability.  However, as described in the next section, attackers can deploy any file after exploitation.

As of 8 June, a CVSS score still needs to be assigned for the vulnerability.

What does the Deployed Web Shell Do?  Our investigation on a web shell backdoor likely installed after CVE-2023-34362 was successfully exploited revealed that all commands to the backdoor are sent through extra HTTP request headers.  A password is needed to verify the attacker and allow access to the backdoor.  This is sent with the "X-siLock-Comment" header.  If the password is invalid, the backdoor will respond with a 404 HTTP status code to pretend the backdoor doesn't exist.

Figure 1. Code to verify the backdoor’s password.

Analysts also discovered that the web shell has the following attack flows:

1. Delete the service account. The HTTP request headers should include the following:

X-siLock-Comment: [password]

X-siLock-Step1: -2

If "-2" is sent with an "X-siLock-Step1" header, the backdoor deletes any users from the "user" table in the database that has the actual name of "Health Check Service."

Figure 2. Code to delete MOVEit service account.

2. List database files. The HTTP request headers should include the following:

X-siLock-Comment: [password]

X-siLock-Step1: -1

If "-1" is sent with an "X-siLock-Step1" header, the backdoor list files in the database.  The file listing also includes file metadata. It tries to include the file's id, name, and size.  It also tries to display the file's location (folder path) and which user owns/uploaded the file.  The listing also tries to include which institution the file is associated with.

3. Create a new service account. The HTTP request headers should include the following:

X-siLock-Comment: [password]

X-siLock-Step1: [arbitrary institution id]

If an integer is sent with an "X-siLock-Step1" header, and it isn't "-1" or "-2", the backdoor assumes it is an institution id. Institution ids can be enumerated from step 2 in the attack flow when the database files are listed.  The attacker is trying to create a new service account for a specific institution.  To ensure step 1 in the attack flow was successful, this command first looks for users with an active session and a permission level of "30" belonging to the institution.  If no account with the real name of “Health Check Service” exists, the backdoor creates a new username containing 16 random alphanumeric characters.  It inserts that as the new Health Check Service account for the specified institution.  It then tries to add that to the list of currently active sessions using the IP address 127.0.0.1 since the service account is supposed to be local.

Figure 3. Code to create a new MOVEit service account.

4. Download arbitrary files. The HTTP request headers should include the following:

X-siLock-Comment: [password]

X-siLock-Step1: [arbitrary institution id]

X-siLock-Step2: [arbitrary folder id]

X-siLock-Step3: [arbitrary file id]

If an institution id, folder id, and file id are all included, it attempts to download the file.  These values can be obtained from step 2 in the overall attack flow.

How Widespread is the Attack?  While we do not know precisely how many organizations were impacted by this vulnerability, publicly available information indicates that several high-profile organizations have been compromised.

The web shell backdoor, likely deployed due to the successful exploitation of CVE-2023-34362, was submitted to a public file scanning service from the United States, the United Kingdom, Germany, Italy, India, and Pakistan.  As such, potential victims could likely be located in those countries.

Has the Vendor Released an Advisory for CVE-2023-34362?  The vendor released an advisory on May 31^st, 2023, along with the timeline:

MOVEit Transfer Critical Vulnerability (May 2023)

MOVEit Transfer and MOVEit Cloud Vulnerability

The advisory contains Indicators of Compromise (IOCs) that can help cybersecurity professionals identify attacks leveraging CVE-2023-34462.

Has the Vendor Released a Patch for CVE-2023-34362? Yes. A vendor patch was released on May 31^st, 2023.

What is the Status of Protection?  Reseachers have the following AV signature available for the available web shell backdoor samples reportedly deployed after CVE-2023-34362 was exploited:

JS/TiMove.A!tr.bdr

FortiGuard Labs released the following IPS signature for CVE-2023-34362 in version 23.570:

Progress.MOVEit.Transfer.Unrestricted.File.Upload

Webfiltering blocks Network IOCs listed on the security advisory issued by Progress.

Is Mitigation Available?  Yes, the vendor advisory contains mitigation that can be applied before applying the vendor patch.

Conclusion:  CVE-2023-34362 has allegedly been leveraged by the Cl0p ransomware threat actor to compromise multiple organizations for data exfiltration and other malicious activities.  Now that the vulnerability has gained public attention, we expect other threat actors to also leverage this vulnerability, and new attempts at exploitation will likely be accelerated.  As such, researchers strongly urges MOVEit Transfer users to apply all patches and implement mitigations provided by the vendor as soon as possible.

FortiGuard Labs will continue to actively monitor the situation for further insights and provide additional information about protections as they become available.

IOCs

File IOCs

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

• https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://www.fortinet.com/blog/threat-research/moveit-transfer-critical-vulnerability-cve-2023-34362-exploited-as-a-0-day/

[2] https://www.fortiguard.com/outbreak-alert/progress-moveit-transfer-sql-injection