The entire cybersecurity realm is buzzing over zero-day vulnerabilities and SQL injection attacks owing to the MOVEit Transfer MFT breach. In case you missed it, here’s the back story, timeline of events, and latest updates.

 On May 31, 2023, Progress Software rolled out security patches for the recently discovered SQL injection vulnerability in their file sharing application, MOVEit Transfer. Since then, the news of new zero-day exploits of the application and speculations about the scale of the attack have been popping up on a daily basis. Many organizations, including British Airways and the BBC, are joining the growing list of data theft victims.

 Here’s a timeline of the attack:

Phase 1 – Post-exploitation discovery

  • May 31: Progress releases details of the vulnerability along with security fixes.

  • June 1: The Cybersecurity and Infrastructure Security Agency (CISA) issues an official alert to users of the application about potential exploitation.

  • June 2: MITRE assigns the vulnerability a CVE-ID (CVE-2023-34362).

  • June 5: Microsoft Threat Intelligence posts on its Twitter account accusing Lace Tempest (a.k.a., TA505, FIN11), an adversary group primarily known for running Clop ransomware campaigns, to be responsible for the attacks.

  • June 6: Zellis, a UK-based payroll software, announces a cybersecurity incident due to the MOVEit vulnerability, leading to its high-profile customers becoming targets of data breaches. This is a case of third-party risk caused by the vulnerabilities in the related-party interactions (RPI).

 

Phase 2 – Ransom demands and the growing list of victims

  • June 7: Threat intelligence platforms and researchers start reporting details of ransom demands from Clop requiring organizations to reach out via email and fix a deal within a 10-day period. They claim that failing to comply will lead to a data leak spree.

  • June 8: Forensic analysis of IIS logs retrieved from the victims’ environments reveals traces of similar exploitation attempts since 2021, implying the threat actors have taken several months to experiment and launch the attack.

  • June 14: Clop starts naming the victims on their leak site, which includes several federal agencies, healthcare, finance, and educational institutions mostly based out of the US and the UK.

  • June 15: Progress continues discovering new vulnerabilities (CVE-2023-35036, CVE-2023-35708) in MOVEit Transfer and rolls out patches.

  • June 16: Rewards for Justice, the US national security rewards program, announces a 10 million dollar bounty for any information linking Clop activities to influences from foreign governments.

 

 

Security analysts around the globe believe the web shells used for data exfiltration might have been injected into the victims’ servers days or even weeks prior to the announcement from Progress, confirming this to be a zero-day vulnerability attack.

This incident joins the trend of mass campaigns by the Clop ransomware gang and their associated groups targeting file sharing applications.

  • In 2021, the Accellion FTP data breach exploited multiple zero-day vulnerabilities (CVE-2021-27101, CVE-2021-27102) in the application. The victim count became an ever-growing list, and the organization ultimately stopped releasing patches, making the application unfit for use.

  • Earlier this year, the CVE-2023-0669 vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) was exploited. Similar to the MOVEit exploit, attackers used remote code execution (RCE) through web shells. Data has since been extorted from over 100 customers including high-profile banks and healthcare institutions.

Tip: What’s a zero-day vulnerability attack?

Zero-day vulnerability attacks are launched by threat actors by abusing the loopholes and security risks in applications and OS environments that have not yet been discovered by operators. Even if patches are released immediately, threat actors can plant back doors and continue to access the network.

Access our zero-day blueprint whitepaper and learn more about zero-day attack protection and the detailed breakdown of the MOVEit exploit.

 

Overview of the attack

 Here’s an overview of the MOVEit attack:

  1. The threat actors access the web interface of the MOVEit application.

  2. They use an SQL injection attack to implant malware payloads in the server.

  3. Using reconnaissance techniques, attackers discover the environment and establish a command and control channel.

  4. They send additional payloads to escalate privileges, laterally move, persist, and compromise the internal network.

  5. Attackers collect and exfiltrate data through the established C2C channel.

  6. They install additional back doors for continued access.

Techniques used in the attack

SQL injection: This is a commonly abused web vulnerability which involves submitting SQL queries in places of valid user inputs to have them executed in the back end to gain control of the database. The attackers usually experiment by submitting various malicious queries in the input fields, which leads to bypassing authentication, retrieving information from the database, altering the database, delaying the database responses, and even launching a denial-of-service attack. In the MOVEit exploit, the threat actors injected webshell files containing the malware payload.

Use of web shells: SQLi to RCE

 The webshell files uploaded to the server consist of shell scripts written in server-side programming languages. Through the use of HTTP commands, the attacker establishes the C2C channel and executes the uploaded files. This grants reverse shell access.

          For example:

              This is a basic shell command that returns details of the user. Let’s say the attacker has added this in a file called script1.php and uploaded that to the target server.

            <?php
               system(“whoami”);
            ?>

 The following HTTP query will execute the file. http://www.abc.com/app_2/?module=script1.php

 Threat actors can use this method to run complex commands, learn about the environment, upload additional scripts, and exfiltrate data. 

Latest advancements and immediate measures for attack victims

Progress Software has been prompt in rolling out patches and publishing indicators of compromise (IOCs). Organizations using MOVEit Transfer should ensure they implement the following measures:

  1. Take the application offline, disable network connectivity, and isolate the server.

  2. Start auditing the application files, users, and all events in the recent past by retrieving and analyzing historic log data:

  • The human2.aspx file has been declared as the malicious web shell found in the servers of multiple victims. Scan for this and delete.

  • Look for new file additions in the following directories:

                    C:\MOVEitTransfer\wwwroot\ directory

                   C:\Windows\TEMP\[random]\ directory

                    APP_WEB_[random].dll files in  C:\Windows\Microsoft. NET\Framework64\[version]\Temporary                       ASP.NET Files\root\[random]\[random]\ directory

  • Audit the GET and POST queries in the IIS logs.

                 To locate the IIS log files, Go to:

                 Windows File Explorer > C Drive > Inetpub folder > Logs folder > LogFiles

        Use this guide to access the MOVEit Transfer logs.

 3. Update MOVEit software. The cloud version, MOVEit Cloud, has already been updated. For the on-premises installations, reset the MOVEit service account credentials and check for updates from Progress for the latest patches.

Experts speculate that there will be further waves of exploitation in this ongoing attack. It’s absolutely important for SOCs to continue monitoring logs of their critical network entities to detect anomalous activities. Progress continues to add further IOCs, including malicious files, commands, requests, and IP addresses to scan for. Use this document to get details of the blacklisted sources. Upon detection, isolate the affected system, disable user accounts, reset passwords, and update firewall rules. 

How can a SIEM help?

 Security information and events management (SIEM) solutions automate the entire process of log collection, parsing, indexing, and generating reports.

  • You can access predefined reports for IIS server activities, admin configuration reports, error reports, and specific reports for webserver attacks like SQL injection attacks.

  • Use alerts and correlation to match attack patterns and detect threats promptly.

  • Identify and block malicious sources with the help of threat intelligence and integration of global threat feeds.

  • Detect user behavior anomalies and data exfiltration attempts with user entity and behavior analytics (UEBA).

Explore the benefits of SIEM with a free trial of ManageEngine Log360.