Hackers like to MOVEit, MOVEit.. Critical MOVEit Transfer Vulnerability

CVE-2023-n-a

CVSSv3: n/a

A critical vulnerability has been discovered within the Progress product MOVEit Transfer that if exploited could be used to gain elevated privileges and unauthorized access. This vulnerability is related to a SQL injection found in the MOVEit transfer web application.

Please note, this vulnerability has been seen in the wild and is not a proof of concept.

Progress warns customers of the risk and compels MOVEit Customers to take immediate action to mitigate the risk as the development team works to release a patch. More information directly from Progress can be found below.

Issue submitted to MITRE from Progress (MOVEit)

SQL Injection (CVE Pending – Submitted to MITRE)
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.  

Recommendation from Progress until a patch is released

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023?utm_medium=email&utm_source=eloqua&elqTrackId=8fb5ca12495f444f8edd44fd2dccb5a8&elq=32a68db8e7f64ee4b43c39dd90b972e6&elqaid=31439&elqat=1&elqCampaignId=38129

Yara signatures for detection

Community built (Credit to NEO23x0)

https://github.com/Neo23x0/signature-base/blob/master/yara/vuln_moveit_0day_jun23.yar#L2

Huntress Built

https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-06/1-MOVEit/yara/human2_MOVEit.yar

Indicators of compromise

CIDR (Attacker command and control)

Filename

HTTP POST

IPV4

User Display Name

Webshell creates a MOVEit Transfer user account session with the display name ‘Health Check Service’.

SHA256 Hash

Sources:

• https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023?utm_medium=email&utm_source=eloqua&elqTrackId=8fb5ca12495f444f8edd44fd2dccb5a8&elq=32a68db8e7f64ee4b43c39dd90b972e6&elqaid=31439&elqat=1&elqCampaignId=38129
• https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/
• https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/
• https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/
• https://digital.nhs.uk/cyber-alerts/2023/cc-4326
• https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/
• https://therecord.media/moveit-transfer-tool-zero-day-exploited
• https://www.helpnetsecurity.com/2023/06/01/moveit-transfer-vulnerability/
• https://github.com/Neo23x0/signature-base/blob/master/yara/vuln_moveit_0day_jun23.yar#L2
• https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response