I Don’t Like to MOVEit MOVEit!

Widespread Attacks Continue to Plague Progress MOVEit Software

In late May and early June of 2023, Progress (formerly known as Ipswitch), disclosed two critical vulnerabilities in its MOVEit Transfer and MOVEit Cloud software platforms (CVE-2023-34362 & CVE-2023-35036). Patches were available for both vulnerabilities. On June 15, 2023, a third zero-day vulnerability was publicly referenced on Progress’ website. All three vulnerabilities are related to SQL injection. The Russian attributed “CL0” Ransomware Gang (TA505) has leveraged these vulnerabilities to successfully target a long and growing list of companies, including numerous U.S. federal and state government agencies. We expect exploitation to continue to proliferate, and urge customers to apply patches as quickly as possible.

While traditional network security vendors may be able to fingerprint components of the vulnerability, holistic detection and prevention is likely to be subverted. This is why the Exabeam approach is to model user and asset behavior within the target environment, looking for abnormal or anomalous activity and raising corresponding alerts. This is the only way to effectively detect the presence of a malicious entity in your network. 

How are attackers exploiting this vulnerability?

All vulnerabilities listed here begin with SQL injection, a web-based vulnerability in the processing of SQL statements parsed by the affected software. Attackers can exploit these flaws without authentication, giving them access to the MOVEit Transfer or Cloud database and, ultimately, file write and remote code execution capabilities. Several vendors have published preliminary analysis of the vulnerabilities, including a detailed writeup from Huntress on the technical aspects of exploitation.

What products and versions are affected?

A list of affected software versions can be found on Progress’ Community website:
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

We expect this list to be updated as more details become available on this zero-day vulnerability and the ensuing patches from Progress.

Behavioral indicators of exploitation

Static signatures provide a basic litmus test for identifying exact fingerprints of vulnerabilities and exploits. However, attackers will look to exploit this by modifying as many payload features as possible, and use unique, highly customized methods to bypass detection based on fixed rules. This is precisely why Exabeam has always focused on identifying the abnormalities, no matter in which part of the attack chain they occur. In fact, the more unique the attack, the higher the chances of Exabeam  detecting it as abnormal and potentially malicious. The types of behaviors the Exabeam analytics engine will detect are vast and varied. A few examples related to these vulnerabilities — both at the time of and following exploitation — are listed below.

Behavioral anomalies include:

• Abnormal account creation 
• Failed login to an application
• Unusual process execution for a user or asset
• Suspicious Windows process executed
• User with no process execution history
• Abnormal amount of data write in a database
• Anomalous database query

This list is just a fraction of the thousands of features that the Exabeam analytics engine is trained to detect. Additional post-exploitation tactics can occur across the entire spectrum of the MITRE ATT&CK^® framework, from privilege escalation to lateral movement, compromised credentials to data exfiltration, and more. This rich library of detection content integrated into Exabeam products corresponds to both individual and multiple tactics, techniques, and procedures (TTPs) and can be used to quickly identify a pattern of attacker behavior in a network, and automatically generate notable events for security operations teams to investigate and act upon. 

References

• MOVEit Transfer and MOVEit Cloud Vulnerability
• MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362) – Progress Community
• CVE-2023-27538
• CVE-2023-34362
• CISA Advises Customers of Progress Software to MOVEit

Proofs of concept

• MOVEit Transfer SQL Injection / Remote Code Execution ≈ Packet Storm
  horizon3ai/CVE-2023-34362 · GitHub
• CVE-2023-34362: MOVEit Transfer Unauthenticated RCE

Conclusion

As we navigate through these threats, it’s essential to remember that the key to a strong security posture is not merely identifying and patching vulnerabilities, but also being proactive in detecting abnormal behaviors and activities. Exabeam offers exactly that by continually evolving and adapting to ensure your security is never compromised.

We will remain vigilant, closely monitoring this evolving threat, and looking for additional information and indicators of compromise (IoCs). If you have questions about Exabeam products and their capabilities to detect these types of attacks, we invite you to schedule a demo of the Exabeam Security Operations Platform.

Exabeam Security Research Team (ESRT) Mission Statement:

The ESRT strives to provide unique insight into how we look at the world of cyberthreats and risk by highlighting the common patterns that different threats and threat actors use, and why we need to reorient our detections and priorities to tactics, techniques, and procedures (TTPs) vs. indicators of compromise (IOCs).

We aim to share a newer ideology of investigating threats by answering the following questions: “who, what, and how”.