A new zero-day vulnerability in MOVEit Transfer has been widely exploited in data theft attempts (1

Ref# AL2023_46 | Date: Jun 12th 2023

Description 

A malicious MOVEit Transfer user could create and save a payload within the MOVEit Transfer app.  If a victim interacts with the stored payload while inside the MOVEit Transfer instance, it could invoke and execute arbitrary code within the context of the victim”s browser (XSS). 

Details 

MOVEit Transfer is a Managed File Transfer (MFT) solution that enables enterprises to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.  It has been observed that a vulnerability in MOVEit Transfer could result in elevated privileges and unauthorized access to the environment. To prevent exploitation, the developers advise administrators to prohibit external traffic to MOVEit Transfer server ports 80 and 443.  

The MOVEit Transfer issue is a SQL injection vulnerability that can lead to remote code execution that presently lacks a CVE. A web shell called “human2.asp” is situated in the public HTML folder of the c:MOVEit Transferwwwroot. 

The web shell code would first determine if the inbound request contained a header named X-siLock-Comment, and would return a 404 “Not Found” error if the header was not populated with a specific password-like value.” When the web shell is visited with the right password, the script will perform various actions dependent on the values of the request headers “X-siLock-Step1”, “X-siLock-Step1”, and “X-siLock-Step3”. These commands enable the threat actor to download data from MOVEit Transfer”s MySQL server and do different activities, such as:  

  • Get a list of saved files, the user who uploaded them, and their file locations. 

  • Create new MySQL sessions and insert and remove a new random called MOVEit Transfer user with the login name “Health Check Service”. 

  • As stated in this Progress help article, retrieve information about the configured Azure Blob Storage account, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings. This information can be used by threat actors to steal data directly from the victims” Azure Blob Storage containers. 

  • Download files from the server.  

MOVEit Transfer administrators have also stated on Reddit that after being infiltrated, they are finding numerous randomly named App_Web_.dll files, such as App_Web_feevjhtu.dll, when there should only be one. 

Remediation 

It is recommended to block ports, which will prevent external access to the web UI, some MOVEit Automation tasks from functioning, APIs from functioning, and the Outlook MOVEit Transfer plugin from functioning. 

SFTP and FTP/s protocols, on the other hand, can still be used to transfer files. Administrators should also check the “c:MOVEit Transferwwwroot” folder for odd data, such as backups or huge file downloads, according to the developers.   

PDF Download: New zero day vulnerability in MOVEit Transfer exploited in data theft attempts.pdf

References