Security operations · 3 MIN READ · AARON WALTON · JUN 6, 2023 · TAGS: MDR
This blog has been updated with additional steps Expel took for customers
What happened?
Progress Software recently disclosed a vulnerability (CVE-2023-34362) affecting all MOVEit Transfer versions. Threat actors are actively exploiting the vulnerability to gain unauthorized access.
Why does it matter?
The Expel security operations center (SOC) team observed that the threat actor deployed a webshell consistently named “human2.aspx”. The human2.aspx webshell reportedly creates a MOVEit Transfer user account session with the display name “Health Check Service”.
If an attacker successfully exploits this vulnerability, they could gain access to an organization’s network and begin exfiltrating data and deploying ransomware. Via a SQL injection vulnerability in the MOVEit Transfer web application, an un-authenticated attacker could gain unauthorized access to MOVEit Transfer’s database, allowing the attacker to modify or access database elements.
What’re we doing for our customers?
Expel performed investigations into compromises we identified in customer environments.
We’ve also:
- Deployed MOVEit IOC rules to surface MOVEit related alerts and IOCs to high
- Deployed MOVEit IOC BOLO to surface all vendor alerts with MOVEit related file hashes
- Created endpoint detection and response (EDR) behavioral hunts
- Created EDR IOC hunts
- Created a cloud infrastructure Azure storage/blob hunt to look for suspicious activity in the management/data plane
Because Expel integrates signal from a variety of security vendors, we’re reviewing the detections that the community develops for this threat. Expel’s detection and response team is also continuing to examine this threat to see what additional detection and hunting logic we can apply.
What should you do right now?
If you use MOVEit Transfer, we recommend searching for the “human2.aspx” file and for any other new and unauthorized user accounts, and then removing them if you cannot confirm their legitimacy. If signs of compromise exist, we recommend reviewing MOVEit Transfer logs for indicators of exfiltration or, if you’re a customer, uploading the logs for Expel to review.
We also recommend that you:
- Apply patches to MOVEit Transfer applications. We recommend implementing the applicable patches and updates as soon as possible.
- If a software installation is end of life, no patch may be available but the software is still vulnerable. Installations that cannot be patched should not be exposed to the internet.
- In this case, disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. Note that doing so will limit and/or stop MOVEit Transfer functionality until reenabled.
- Delete Unauthorized Files and User Accounts
- Delete any instances of the human2.aspx and .cmdline script files.
- On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
- On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
- Remove any unauthorized user accounts. (See Progress MOVEit Users Documentation article for full details on this.)
- Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded. For more information on reviewing logs, please refer to MOVEit Transfer Logs guide.
- Reset Credentials
- Reset service account credentials for affected systems and MOVEit Service Account.
- If you use Azure Storage in conjunction with MOVEit Transfer, rotate Azure Storage keys.
What can you do longer term?
- Prioritize patching your vulnerabilities. Deploy your vulnerability scanning plugins to identify unpatched MOVEit instances, and patch them. Looking ahead, identify your highest-risk vulnerabilities specific to your environment and make a plan to address them. (BTW, we can help with this.)
- Update remote access policies to only allow inbound connections from known and trusted IP addresses. Progress Software has provided these guides: SysAdmin Remote Access Rules and Security Policies Remote Access.
- Enable multi-factor authentication (MFA). MFA protects MOVEit Transfer accounts from unverified users when a user’s account password is lost, stolen, or compromised. To enable MFA, refer to the MOVEit Transfer Multi-factor Authentication Documentation. And while you’re at it, make sure you have MFA enabled where it makes sense throughout your environment.
What next?
We’re keeping a close eye on this situation as it unfolds. We’ll update this post with big developments, but keep an eye on our socials (@ExpelSecurity) for additional recommendations as they emerge.