Within the Cybersecurity field it is essential to be up to date with current events, especially those with potentially critical impacts to an organisation. As such with new victims being released everyday I’ve been reading up on this vulnerability and look to covering it to reinforce the learning.

What is the MOVEit vulnerability?

The MOVEit vulnerability is a zero day exploit discovered in May 2023 for the MOVEit software developed by Progress. This software is used by many supply chain corporations in the processing of HR and payroll files and is sold by the company as a Secure File Transfer package which encrypts data in-transit and at rest to ensure this.

While the news talks about the Vulnerability and I have refered to it as such for simplicity, the recent scrutiny has resulted in three separate CVEs which will be covered below.

On 31 May 2023 CVE-2023-34362 was announced as a critical vulnerability in the MOVEit software. This was a serious vulnerability which allowed a SQL injection to deliver a .NET deserialisation payload to the transfer database. This was a serious exploit as it affected all versions of MOVEit Transfer and as of the date there was no patch available. Subsequent investigations discovered that this vulnerability had been exploited since 27 May without detection.

On June 1 guidance was released on the potential IOC and prevention steps that could be performed to minimise risk.

How does the Vulnerability Work

The vulnerability is a relatively complex one in that although the vulnerability was identified relatively early it has not been the easiest to reproduce, possibly due to the need to possess a MoveIT transfer server. On 5 June Huntress.com managed to exploit the vulnerability via SQL injection to perform arbitrary code execution successfully using the moveit service account and thus deploying a ransomware payload. This is done by abusing the SQL injection to privilege escalate to the root system user.

Huntress noted that the widely touted human2.aspx, being essential to the exploit isn’t required, however it can be deployed for persistence.

The exploit utilises the web facing side from the MoveIT transfer server and done via a SQL injection from here. moveitisapi.dll is used in this injection with specific headers and guestaccess.aspx is used to create the session and extract tokens required for further penetration.

Reference List

• Insights on the MOVEit File Transfer Vulnerability (trendmicro.com)
• MOVEit vulnerability and data extortion incident – NCSC.GOV.UK
• MOVEit: an Industry Analysis – Censys
• MOVEit Secure Managed File Transfer Software | Progress
• MOVEit Transfer Critical Vulnerability (May 2023) (CVE-2023-34362) – Progress Community
• CVE – CVE-2023-34362 (mitre.org)
• MOVEit SQL Injection ≈ Packet Storm (packetstormsecurity.com)
• Detailed analysis of the Zero- Day vulnerability in MOVEit transfer – Atos
• MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response (huntress.com)