I Don’t Like to MOVEit MOVEit!
Widespread Attacks Continue to Plague Progress MOVEit Software
In late May and early June of 2023, Progress (formerly known as Ipswitch), disclosed two critical vulnerabilities in its MOVEit Transfer and MOVEit Cloud software platforms (CVE-2023-34362 & CVE-2023-35036). Patches were available for both vulnerabilities. On June 15, 2023, a third zero-day vulnerability was publicly referenced on Progress’ website. All three vulnerabilities are related to SQL injection. The Russian attributed “CL0” Ransomware Gang (TA505) has leveraged these vulnerabilities to successfully target a long and growing list of companies, including numerous U.S. federal and state government agencies. We expect exploitation to continue to proliferate, and urge customers to apply patches as quickly as possible.
While traditional network security vendors may be able to fingerprint components of the vulnerability, holistic detection and prevention is likely to be subverted. This is why the Exabeam approach is to model user and asset behavior within the target environment, looking for abnormal or anomalous activity and raising corresponding alerts. This is the only way to effectively detect the presence of a malicious entity in your network.
In this article:
- How are attackers exploiting this vulnerability?
- What products and versions are affected?
- Behavioral indicators of exploitation
- What’s next?
- Proofs of concept
How are attackers exploiting this vulnerability?
All vulnerabilities listed here begin with SQL injection, a web-based vulnerability in the processing of SQL statements parsed by the affected software. Attackers can exploit these flaws without authentication, giving them access to the MOVEit Transfer or Cloud database and, ultimately, file write and remote code execution capabilities. Several vendors have published preliminary analysis of the vulnerabilities, including a detailed writeup from Huntress on the technical aspects of exploitation.
What products and versions are affected?
A list of affected software versions can be found on Progress’ Community website:
We expect this list to be updated as more details become available on this zero-day vulnerability and the ensuing patches from Progress.
Behavioral indicators of exploitation
Static signatures provide a basic litmus test for identifying exact fingerprints of vulnerabilities and exploits. However, attackers will look to exploit this by modifying as many payload features as possible, and use unique, highly customized methods to bypass detection based on fixed rules. This is precisely why Exabeam has always focused on identifying the abnormalities, no matter in which part of the attack chain they occur. In fact, the more unique the attack, the higher the chances of Exabeam detecting it as abnormal and potentially malicious. The types of behaviors the Exabeam analytics engine will detect are vast and varied. A few examples related to these vulnerabilities — both at the time of and following exploitation — are listed below.
Behavioral anomalies include:
- Abnormal account creation
- Failed login to an application
- Unusual process execution for a user or asset
- Suspicious Windows process executed
- User with no process execution history
- Abnormal amount of data write in a database
- Anomalous database query
This list is just a fraction of the thousands of features that the Exabeam analytics engine is trained to detect. Additional post-exploitation tactics can occur across the entire spectrum of the MITRE ATT&CK® framework, from privilege escalation to lateral movement, compromised credentials to data exfiltration, and more. This rich library of detection content integrated into Exabeam products corresponds to both individual and multiple tactics, techniques, and procedures (TTPs) and can be used to quickly identify a pattern of attacker behavior in a network, and automatically generate notable events for security operations teams to investigate and act upon.
- MOVEit Transfer and MOVEit Cloud Vulnerability
- MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362) – Progress Community
- CISA Advises Customers of Progress Software to MOVEit
Proofs of concept
- MOVEit Transfer SQL Injection / Remote Code Execution ≈ Packet Storm
horizon3ai/CVE-2023-34362 · GitHub
- CVE-2023-34362: MOVEit Transfer Unauthenticated RCE
As we navigate through these threats, it’s essential to remember that the key to a strong security posture is not merely identifying and patching vulnerabilities, but also being proactive in detecting abnormal behaviors and activities. Exabeam offers exactly that by continually evolving and adapting to ensure your security is never compromised.
We will remain vigilant, closely monitoring this evolving threat, and looking for additional information and indicators of compromise (IoCs). If you have questions about Exabeam products and their capabilities to detect these types of attacks, we invite you to schedule a demo of the Exabeam Security Operations Platform.
Exabeam Security Research Team (ESRT) Mission Statement:
The ESRT strives to provide unique insight into how we look at the world of cyberthreats and risk by highlighting the common patterns that different threats and threat actors use, and why we need to reorient our detections and priorities to tactics, techniques, and procedures (TTPs) vs. indicators of compromise (IOCs).
We aim to share a newer ideology of investigating threats by answering the following questions: “who, what, and how”.
Want to learn more about detecting abnormal behavior?
View our on-demand webinar, Differentiating Legitimate Activity from Adversarial Behavior to Detect Account Manipulation.
Your adversaries use account manipulation techniques in order to establish persistence on the network, move around covertly, and grant themselves access to critical corporate resources.
Their techniques can range from increasing group privileges, creating and deleting temporary users or shielding attacker identities behind default system accounts. Because IT or security admins may perform similar account management functions as part of their normal job responsibilities, legacy security tools cannot usually differentiate legitimate activity from adversary behavior. Attackers take advantage of this gap in detection to remain on the network undetected to achieve their end goals of intellectual property theft, data exfiltration, or other damage.
In this webinar, you will learn:
- Why account manipulation is a challenge for most organizations
- How behavioral analytics can identify attacks involving account manipulation
- How Exabeam helps with threat detection, investigation, and response (TDIR) for this use case
Introducing Threat Detection, Investigation, and Response (TDIR) for Public Cloud
Demystifying Insider Threats: An Insightful Discussion
Maximizing Your Cybersecurity Investment: Evaluating and Implementing Effective UEBA Solutions
What’s New in Exabeam Product Development — February 2024
Save The Date! Exabeam Spotlight24 Global Webcast Registration Opens March 12
Exabeam Unveils 2023 Partner of the Year Award Winners
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!