MOVEit Transfer Critical Vulnerability (CVE-2023-34362) Exploited as a 0-day
2023-6-9 04:15:0 Author: feeds.fortinet.com(查看原文) 阅读量:2 收藏

Affected Platforms: All unpatched MOVEit Transfer versions running a SQL database
Impacted Users: Any organization that uses a vulnerable version of MOVEit Transfer
Impact: Remote attackers can install a backdoor and exfiltrate data
Severity Level: High

FortiGuard Labs is aware of a critical zero-day SQL injection vulnerability in the MOVEit Secure Managed File Transfer software (CVE-2023-34362) allegedly exploited by the Cl0p ransomware threat actor. High-profile government, finance, media, aviation, and healthcare organizations have reportedly been affected, with data exfiltrated and stolen.

Due to its severity, CISA released an advisory for the vulnerability on June 1st, 2023. They also updated the Known Exploited Vulnerabilities catalog on June 2nd with CVE-2023-34362.

This blog contains information on what you need to know about CVE-2023-34362. For further details, please see the related FortiGuard Labs Outbreak Alert.

What is MOVEit Transfer?

MOVEit Transfer is a commercial secure managed file transfer (MFT) software solution that enables the secure movement of files between organizations and their customers using SFTP, SCP, and HTTP-based uploads.

What is CVE-2023-34362?

MOVEit Transfer is vulnerable to a SQL injection vulnerability that could allow an unauthenticated attacker to access MOVEit Transfer's database.  Structured Query Language (SQL) allows queries and commands to be executed against a relational database. An injection vulnerability allows an attacker to manipulate one of these queries to exploit a system to retrieve data or make changes.

In this case, an attacker could pull data from the database that would otherwise be secured, execute their own SQL queries, and change and delete data. This vulnerability affects versions of MOVEit before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) as well as versions using the following engines to host the actual database: MySQL [open-source relational database management system], Microsoft SQL Server [Microsoft on-premises relational database management system], and Azure SQL [Microsoft cloud-based relational database management system]).

Reportedly, a web shell that acts as a backdoor was deployed, and data exfiltration was performed after successfully exploiting the vulnerability. However, as described in the next section, attackers can deploy any file after exploitation.

At the time of this writing, a CVSS score still needs to be assigned for the vulnerability.

What does the Deployed Web Shell Do?

Our investigation on a web shell backdoor likely installed after CVE-2023-34362 was successfully exploited revealed that all commands to the backdoor are sent through extra HTTP request headers. A password is needed to verify the attacker and allow access to the backdoor. This is sent with the "X-siLock-Comment" header. If the password is invalid, the backdoor will respond with a 404 HTTP status code to pretend the backdoor doesn't exist.

Figure 1. Code to verify the backdoor’s password

We also discovered that the web shell has the following attack flows:

1.     Delete the service account. The HTTP request headers should include the following:

  • X-siLock-Comment: [password]
  • X-siLock-Step1: -2

If "-2" is sent with an "X-siLock-Step1" header, the backdoor deletes any users from the "user" table in the database that has the actual name of "Health Check Service."

Figure 2. Code to delete MOVEit service account

2.     List database files. The HTTP request headers should include the following:

  • X-siLock-Comment: [password]
  • X-siLock-Step1: -1

If "-1" is sent with an "X-siLock-Step1" header, the backdoor list files in the database. The file listing also includes file metadata. It tries to include the file's id, name, and size. It also tries to display the file's location (folder path) and which user owns/uploaded the file. The listing also tries to include which institution the file is associated with.

3.     Create a new service account. The HTTP request headers should include the following:

  • X-siLock-Comment: [password]
  • X-siLock-Step1: [arbitrary institution id]

If an integer is sent with an "X-siLock-Step1" header, and it isn't "-1" or "-2", the backdoor assumes it is an institution id. Institution ids can be enumerated from step 2 in the attack flow when the database files are listed. The attacker is trying to create a new service account for a specific institution. To ensure step 1 in the attack flow was successful, this command first looks for users with an active session and a permission level of "30" belonging to the institution. If no account with the real name of “Health Check Service” exists, the backdoor creates a new username containing 16 random alphanumeric characters. It inserts that as the new Health Check Service account for the specified institution. It then tries to add that to the list of currently active sessions using the IP address 127.0.0.1 since the service account is supposed to be local.

Figure 3. Code to create a new MOVEit service account

4.     Download arbitrary files. The HTTP request headers should include the following:

  • X-siLock-Comment: [password]
  • X-siLock-Step1: [arbitrary institution id]
  • X-siLock-Step2: [arbitrary folder id]
  • X-siLock-Step3: [arbitrary file id]

If an institution id, folder id, and file id are all included, it attempts to download the file. These values can be obtained from step 2 in the overall attack flow.

How Widespread is the Attack?

While we do not know precisely how many organizations were impacted by this vulnerability, publicly available information indicates that several high-profile organizations have been compromised.

The web shell backdoor, likely deployed due to the successful exploitation of CVE-2023-34362, was submitted to a public file scanning service from the United States, the United Kingdom, Germany, Italy, India, and Pakistan. As such, potential victims could likely be located in those countries.

Has the Vendor Released an Advisory for CVE-2023-34362?

The vendor released an advisory on May 31st, 2023, along with the timeline:

The advisory contains Indicators of Compromise (IOCs) that can help cybersecurity professionals identify attacks leveraging CVE-2023-34462.

Has the Vendor Released a Patch for CVE-2023-34362?

Yes. A vendor patch was released on May 31st, 2023.

What is the Status of Protection?

FortiGuard Labs has the following AV signature available for the available web shell backdoor samples reportedly deployed after CVE-2023-34362 was exploited:

  • JS/TiMove.A!tr.bdr

FortiGuard Labs released the following IPS signature for CVE-2023-34362 in version 23.570:

  • Progress.MOVEit.Transfer.Unrestricted.File.Upload

Webfiltering blocks Network IOCs listed on the security advisory issued by Progress.

For a comprehensive list of protections from FortiGuard Labs, please visit the Outbreak Alert page for further details.

Is Mitigation Available?

Yes, the vendor advisory contains mitigation that can be applied before applying the vendor patch.

Conclusion

CVE-2023-34362 has allegedly been leveraged by the Cl0p ransomware threat actor to compromise multiple organizations for data exfiltration and other malicious activities. Now that the vulnerability has gained public attention, we expect other threat actors to also leverage this vulnerability, and new attempts at exploitation will likely be accelerated. As such, FortiGuard Labs strongly urges MOVEit Transfer users to apply all patches and implement mitigations provided by the vendor as soon as possible.

FortiGuard Labs will continue to actively monitor the situation for further insights and provide additional information about protections as they become available.

IOCs

File IOCs

SHA2

Malware

702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0

web shell backdoor

929bf317a41b187cf17f6958c5364f9c5352003edca78a75ee33b43894876c62

web shell backdoor

c77438e8657518221613fbce451c664a75f05beea2184a3ae67f30ea71d34f37

web shell backdoor

93137272f3654d56b9ce63bec2e40dd816c82fb6bad9985bed477f17999a47db

web shell backdoor

bdd4fa8e97e5e6eaaac8d6178f1cf4c324b9c59fc276fd6b368e811b327ccf8b

web shell backdoor

d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195

web shell backdoor

348e435196dd795e1ec31169bd111c7ec964e5a6ab525a562b17f10de0ab031d

web shell backdoor

769f77aace5eed4717c7d3142989b53bd5bac9297a6e11b2c588c3989b397e6b

web shell backdoor

7c39499dd3b0b283b242f7b7996205a9b3cf8bd5c943ef6766992204d46ec5f1

web shell backdoor

3a977446ed70b02864ef8cfa3135d8b134c93ef868a4cc0aa5d3c2a74545725b

web shell backdoor

b9a0baf82feb08e42fa6ca53e9ec379e79fbe8362a7dac6150eb39c2d33d94ad

web shell backdoor

4359aead416b1b2df8ad9e53c497806403a2253b7e13c03317fc08ad3b0b95bf

web shell backdoor

daaa102d82550f97642887514093c98ccd51735e025995c2cc14718330a856f4

web shell backdoor

a1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7

web shell backdoor

f0d85b65b9f6942c75271209138ab24a73da29a06bc6cc4faeddcb825058c09d

web shell backdoor

ea433739fb708f5d25c937925e499c8d2228bf245653ee89a6f3d26a5fd00b7a

web shell backdoor

cf23ea0d63b4c4c348865cefd70c35727ea8c82ba86d56635e488d816e60ea45

web shell backdoor

5b566de1aa4b2f79f579cdac6283b33e98fdc8c1cfa6211a787f8156848d67ff

web shell backdoor

0ea05169d111415903a1098110c34cdbbd390c23016cd4e179dd9ef507104495

web shell backdoor

387cee566aedbafa8c114ed1c6b98d8b9b65e9f178cf2f6ae2f5ac441082747a

web shell backdoor

3ab73ea9aebf271e5f3ed701286701d0be688bf7ad4fb276cb4fbe35c8af8409

web shell backdoor

c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4

web shell backdoor

fe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f

web shell backdoor

9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead

web shell backdoor

9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a

web shell backdoor

b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272

web shell backdoor

6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d

web shell backdoor

48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a

web shell backdoor

2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5

web shell backdoor

e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e

web shell backdoor

d477ec94e522b8d741f46b2c00291da05c72d21c359244ccb1c211c12b635899

web shell backdoor

3c0dbda8a5500367c22ca224919bfc87d725d890756222c8066933286f26494c

web shell backdoor

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolioSign up to receive our threat research blogs.


文章来源: https://feeds.fortinet.com/~/744947144/0/fortinet/blog/threat-research~MOVEit-Transfer-Critical-Vulnerability-CVE-Exploited-as-a-day
如有侵权请联系:admin#unsafe.sh