Attackers are targeting a newly disclosed critical vulnerability in the MOVEit Transfer file-transfer web application that can provide remote code execution on vulnerable systems. The bug was disclosed on Wednesday and researchers and incident response teams have seen multiple threat actors exploiting it or scanning for vulnerable installations.
All versions of MOVEit Transfer are affected by the vulnerability (CVE-2023-34362) and the app’s maker, Progress, recommends that organizations running affected versions immediately disable all HTTP and HTTPS traffic to the application. Researchers have found about 2,500 vulnerable instances of MOVEit Transfer exposed to the Internet, most of which are in the United States. There are updates available for all of the affected versions that address this vulnerability.
“In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database,” the Progress advisory says.
“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.”
In the known exploitation activity against this vulnerability, attackers have used it to install a webshell with the name human2.aspx. That file hosts a SQL database account that the attacker uses for later access to the environment.
“Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation. Rapid7 analyzed a sample webshell payload associated with successful exploitation. The webshell code would first determine if the inbound request contained a header named X-siLock-Comment, and would return a 404 "Not Found" error if the header was not populated with a specific password-like value,” Caitlin Condon of Rapid7 said in a blog post.
“As of June 1, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involve the presence of the file human2.aspx in the wwwroot folder of the MOVEit install directory (human.aspx is the native aspx file used by MOVEit for the web interface).”
Researchers at GreyNoise, who monitor scanning traffic across the Internet, said they have seen scanning for the MOVEit Transfer loging page as early as March 3, pushing the window for when exploitation may have occurred much earlier than the public disclosure of the bug.
“Progress’ security notice is advising users to review their system for unauthorized access for ‘at least the past 30 days’, however, GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023. While we have not observed activity directly related to exploitation, all of the 5 IPs we have observed attempting to discover the location of MOVEit installations were marked as “Malicious” by GreyNoise for prior activities,” GreyNoise’s Matthew Remacle said in a post.
Organizations running vulnerable versions should disable all of the HTTP and HTTPS traffic to the MOVEit Transfer app and install the updated version as soon as possible. Mandiant researchers said they have seen widespread exploitation of the bug already.
"Based on initial analysis from Mandiant incident response engagements, the earliest evidence of exploitation occurred on May 27, 2023 resulting in deployment of web shells and data theft. In some instances, data theft has occurred within minutes of the deployment of web shells. Mandiant currently attributes this activity to UNC4857, a newly created threat cluster with unknown motivations that has impacted organizations operating in a wide range of industries based in Canada, India, and the U.S., but their impact is almost certainly broader," Mandiant said.