Project Hyphae
Search

Hackers like to MOVEit, MOVEit.. Critical MOVEit Transfer Vulnerability

Share This Post

CVE-2023-n-a

CVSSv3: n/a

A critical vulnerability has been discovered within the Progress product MOVEit Transfer that if exploited could be used to gain elevated privileges and unauthorized access. This vulnerability is related to a SQL injection found in the MOVEit transfer web application.

Please note, this vulnerability has been seen in the wild and is not a proof of concept.

Progress warns customers of the risk and compels MOVEit Customers to take immediate action to mitigate the risk as the development team works to release a patch. More information directly from Progress can be found below.

Issue submitted to MITRE from Progress (MOVEit)

SQL Injection (CVE Pending – Submitted to MITRE)
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.  

Recommendation from Progress until a patch is released

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023?utm_medium=email&utm_source=eloqua&elqTrackId=8fb5ca12495f444f8edd44fd2dccb5a8&elq=32a68db8e7f64ee4b43c39dd90b972e6&elqaid=31439&elqat=1&elqCampaignId=38129

Yara signatures for detection

Community built (Credit to NEO23x0)

https://github.com/Neo23x0/signature-base/blob/master/yara/vuln_moveit_0day_jun23.yar#L2

Huntress Built

https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-06/1-MOVEit/yara/human2_MOVEit.yar

Indicators of compromise

CIDR (Attacker command and control)

5.252.189[.]0/24

5.252.190[.]0/24

5.252.191[.]0/24

Filename

human2.aspx

human2.aspx.lnk

C:\Windows\TEMP\[random]\[random].cmdline

C:\MOVEitTransfer\wwwroot\human2.aspx

HTTP POST

POST /moveitisapi/moveitisapi.dll

POST /guestaccess.aspx

POST /api/v1/folders/[random]/files

IPV4

198.27.75[.]110

209.222.103[.]170

84.234.96[.]104

138.197.152[.]201

209.97.137[.]33

5.252.191[.]0/24

148.113.152[.]144

89.39.105[.]108

User Display Name

Webshell creates a MOVEit Transfer user account session with the display name ‘Health Check Service’.

SHA256 Hash

0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9

110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286

1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2

2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59

58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166

98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8

a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986

b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03

cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621

ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c

0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9

110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286

1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de2

2ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59

58ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166

98a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8

a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986

b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b03

cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f621

ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c

Sources:



Reach out to our incident response team for help

More To Explore

CVE-2024-3596 | Attackers Blasting RADIUS

CVE-2024-3596 | CVSS:9.0 A new and emerging attacked named “Blast-RADIUS”, allows a man-in-the-middle attack between the RADIUS client and server to forge a valid protocol

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.