{"id":78915,"date":"2023-06-13T10:00:13","date_gmt":"2023-06-13T17:00:13","guid":{"rendered":"https:\/\/forescoutstage.wpengine.com\/?p=78915"},"modified":"2024-04-23T08:36:12","modified_gmt":"2024-04-23T15:36:12","slug":"mass-exploitation-of-moveit-transfer-critical-vulnerability","status":"publish","type":"post","link":"https:\/\/www.forescout.com\/blog\/mass-exploitation-of-moveit-transfer-critical-vulnerability\/","title":{"rendered":"Mass Exploitation of MOVEit Transfer Critical Vulnerability \u2013 Recommended Mitigations and How Forescout Can Help"},"content":{"rendered":"

On May 31, Forescout Research – Vedere Labs uncovered a significant incident where threat actors exploited a critical zero-day vulnerability in the MOVEit Transfer software<\/a>, which resulted in unauthorized access to and exfiltration of private data, as well as privilege escalation.<\/p>\n

MOVEit Transfer<\/a> is a widely adopted managed file transfer (MFT) solution that enables organizations to securely exchange files with their business partners and customers. The exploited vulnerability has been assigned the identifier CVE-2023-34362<\/a>.<\/p>\n

CVE-2023-34362 is currently being mass exploited<\/a>, with hundreds of organizations hit simultaneously. Although we could not attribute this particular incident to a specific threat actor with certainty, ongoing exploitation of CVE-2023-34362 has been attributed by CISA, the FBI and other organizations<\/a> to the Cl0p ransomware group<\/a> since May 27. The criminal group itself has claimed responsibility for the attacks with an extortion note<\/a> on their website.<\/p>\n

Cl0p is one of the most active ransomware groups and was behind last year\u2019s attack on a UK water utility<\/a>, among many other critical incidents. The group also exploited another vulnerability in a similar MFT tool in January, claiming 130 victims at that time<\/a>. Researchers found evidence<\/a> that the group knew about the MOVEit Transfer vulnerability for almost two years but chose to wait for the right moment to use it in a mass attack.<\/p>\n

CVE-2023-34362 is an SQL injection affecting MOVEit Transfer versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5) and 2023.0.1 (15.0.1). The vulnerability allows attackers to manipulate the underlying database and potentially gain unauthorized access. Exploitation of unpatched systems can occur over both HTTP and HTTPS, making all vulnerable instances susceptible to attack.<\/p>\n

Fortunately, the software vendor, Progress, promptly addressed this vulnerability and released a patch to mitigate the risk. On June 9, the vendor also released a patch for a second SQL injection vulnerability (CVE is pending) to address concerns of exploit staging. There is no evidence that the second vulnerability has been exploited in the wild.<\/p>\n

There are currently more than 2,500 exposed servers<\/a> running MOVEit Transfer. Seventy-three percent of those are in the U.S., 5% in the UK and 4.5% in Germany, with the remaining 17.5% spread across over 80 other countries. Sixty-eight percent of the servers have a similar configuration, running over HTTPS on port 443 on top of the Microsoft IIS web server. These servers are most often observed in organizations in the healthcare, financial services and government sectors.<\/p>\n

Read our full report<\/a> for further technical details about the webshell used in the attack.<\/p>\n

The incident exploiting CVE-2023-34362<\/h2>\n

The figure below summarizes the incident that we have detected and analyze in the full report. First, the threat actor exploited CVE-2023-34362 on an Internet-facing host running a vulnerable version of MOVEit Transfer. Second, the attacker deployed a webshell named human2.aspx<\/em> that allowed them to execute commands on the target. Third, the attacker leveraged the webshell to exfiltrate data to a C2 server.<\/p>\n

\"\"<\/p>\n

Recommended mitigations<\/h2>\n

Progress, the MOVEit Transfer vendor, has released immediate mitigation measures to assist in preventing the exploitation of CVE-2023-34362. The table below shows the security patch for each supported version of MOVEit Transfer. Customers on unsupported versions should upgrade to one of the supported fixed versions below.<\/p>\n

<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n
Affected Version<\/strong><\/th>\nFixed Version<\/strong><\/th>\n<\/tr>\n
MOVEit Transfer 2023.0.0 (15.0)<\/td>\nMOVEit Transfer 2023.0.1<\/a><\/td>\n<\/tr>\n
MOVEit Transfer 2022.1.x (14.1)<\/td>\nMOVEit Transfer 2022.1.5<\/a><\/td>\n<\/tr>\n
MOVEit Transfer 2022.0.x (14.0)<\/td>\nMOVEit Transfer 2022.0.4<\/a><\/td>\n<\/tr>\n
MOVEit Transfer 2021.1.x (13.1)<\/td>\nMOVEit Transfer 2021.1.4<\/a><\/td>\n<\/tr>\n
MOVEit Transfer 2021.0.x (13.0)<\/td>\nMOVEit Transfer 2021.0.6<\/a><\/td>\n<\/tr>\n
MOVEit Transfer 2020.1.x (12.1)<\/td>\nSpecial patch available<\/td>\n<\/tr>\n
MOVEit Transfer 2020.0.x (12.0) or older<\/td>\nMust upgrade to a supported version<\/td>\n<\/tr>\n
MOVEit Cloud<\/td>\nProd:14.1.4.94 or 14.0.3.42\n

Test: 15.0.1.37<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

<\/p>\n

Additional recommended mitigation includes:<\/strong><\/p>\n