MOVEit is a popular file transfer application and on May 31 2023, Progress disclosed a critical vulnerability in it leading to a widespread exfiltration of sensitive data stored on the platform. The incident gained significant attention when Zellis, a major UK-based payroll provider serving numerous high-profile companies, publicly acknowledged the compromise of customer and staff personally identifiable information.
Two days after the announcement, the vulnerability was assigned CVE-2023-34362. However, it is suspected that threat actors had been exploiting the vulnerability for at least four days prior to the disclosure. While the exact number of affected victims remains undisclosed, the attack has been characterised as involving mass exploitation and broad data theft.
Initially identified as an isolated SQL injection (SQLi) attack, further investigation revealed that it only served as a foothold for achieving full remote code execution on the underlying server running MOVEit. The attack vector commences with threat actors conducting a SQLi attack by requesting moveitapi.dll with specific headers, then using guestaccess.aspx to prepare a session. Once a valid session is obtained, code execution is achieved by uploading a web shell named LEMURLOOT, written in C#, which masquerades as the legitimate "human.aspx" component used by MOVEit. The web shell is named "human2.aspx" to closely resemble the legitimate file. It should be noted that the use of the LEMURLOOT web shell is not mandatory; however, it provides threat actors with a method of persistence.
The web shell's initial step involves inspecting incoming HTTP requests for the presence of the "X-siLock-Comment" header and an associated password-like value for authentication. If the header is not present or the password-value is invalid, the web shell returns a 404 error. Upon successful authentication of an inbound HTTP request using a valid password, LEMURLOOT gains the ability to execute system commands based on specific request headers, thereby enabling the threat actors to create new users under the name of "Health Check Service", and extract data from the server, such as Azure Blob Storage settings. The script will execute these commands based on the value of the request headers: 'X-siLock-Step1', 'X-siLock-Step2', and 'X-siLock-Step3'.
Detection and Indicators of Attack
Analysis from security companies dealing with the incident has indicated that the "human2.aspx" webshell was located in the /wwwroot folder within the MOVEit install directory:
It is recommended to capture review log files created by the MOVEit service on Windows, which is located at:
Although logging is not enabled by default by the service, it is enabled as a common practice by MOVEit clients following installation. It is vital to ensure that logs are reviewed prior to restoring from backup or wiping the server completely.
The following IP addresses have been released as being associated with the attack:
Known HTTP requests made to the MOVEit Transfer severs associated with the attack are:
- POST /moveitisapi/moveitisapi.dll
- POST /guestaccess.aspx
- POST /api/v1/folders/[random]/files
Mitigation (MOVEit Transfer Only)
MOVEit developer Progress Software has released critical patches to prevent compromise of the platform. The full advice and patch notes can be found on Progress' website (https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023). If you host MOVEit Transfer, it is highly recommended these are applied. If you subscribe to MOVEit Cloud, no action is necessary.