Date: 5/6/2023 | Prepared by: Jason Trapp, DFIR Analyst
This alert highlights a critical security issue identified in Managed File Transfer (MFT) software MOVEit Transfer for Windows owned by the vendor Progress1. This vulnerability is tracked with the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2023-34362.
This vulnerability awaits analysis to determine the Common Vulnerability Scoring System (CVSS) score. Based on what has been observed, this vulnerability will likely receive a critical score higher than 9. The vulnerability affected both on-prem and cloud versions MOVEit. Progress has reported that the cloud version of MOVEit Transfer has been patched and is no longer vulnerable.
This SQL injection vulnerability allows an unauthenticated, remote Threat Actor to access the MOVEit Transfer instance. Per Progress’ article, a Threat Actor “may be able to infer information about the structure and contents of the database.” This may provide a Threat Actor with the ability to exfiltrate data.
Huntress reported exploitation of this issue on 31 May 20232, and it was seen that a .aspx file named “human2.aspx” was dropped into the directory wwwroot.
This file has been observed to connect to the database and can either: delete the ‘Health Check Service’ user from the database, leak Azure information from response headers, or retrieve any file specified by an X-siLocked-Step2 header or X-siLocked-Step3 header. Security firm GreyNoise has observed scanning activity for the page “human.aspx” as early as 03 March 20233.
As of the time of writing this Security Bulletin, it is not known which Threat Actor group(s) are associated with exploiting this vulnerability.
This is the second Managed File Transfer (MFT) to have a critical vulnerability be discovered in 2023. The first was the GoAnywhere MFT software which is CVE-2023-0669.
This vulnerability affects all Windows Operating Systems running MOVEit Transfer.
This included the cloud version of the software, which Progress has now advised has been patched.
For those that are running on-premises versions of the MOVEit Transfer software, vulnerable versions of the software include:
Triskele Labs recommends that MOVEit Transfer software is updated in line with the version being run. The following URL links to relevant upgrade documentation for the affected software:
Additional mitigation actions that can be taken include:
These mitigation strategies are not substitutes for patching the vulnerability. These should be implemented in the case that a patch cannot be immediately applied.
The Triskele Labs DefenceShield Security Operations Centre (SOC) monitors suspicious activity for Managed Detection and Response (MDR) clients.
DefenceShield Monitor clients with Security Information and Event Management (SIEM) agents deployed to endpoints running MOVEit Transfer will detect exploitation of this vulnerability.
Triskele Labs are performing ongoing scanning for DefenceShield Assess clients to detect vulnerable devices in client networks.
For any questions, please contact the DefenceShield Security Operations Centre or Triskele Labs support.
1 https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023