Affected Platforms: All unpatched MOVEit Transfer versions running a SQL database
Impacted Users: Any organization that uses a vulnerable version of MOVEit Transfer
Impact: Remote attackers can install a backdoor and exfiltrate data
Severity Level: High

FortiGuard Labs is aware of a critical zero-day SQL injection vulnerability in the MOVEit Secure Managed File Transfer software (CVE-2023-34362) allegedly exploited by the Cl0p ransomware threat actor. High-profile government, finance, media, aviation, and healthcare organizations have reportedly been affected, with data exfiltrated and stolen.

Due to its severity, CISA released an advisory for the vulnerability on June 1^st, 2023. They also updated the Known Exploited Vulnerabilities catalog on June 2^nd with CVE-2023-34362.

This blog contains information on what you need to know about CVE-2023-34362. For further details, please see the related FortiGuard Labs Outbreak Alert.

What is MOVEit Transfer?

MOVEit Transfer is a commercial secure managed file transfer (MFT) software solution that enables the secure movement of files between organizations and their customers using SFTP, SCP, and HTTP-based uploads.

What is CVE-2023-34362?

MOVEit Transfer is vulnerable to a SQL injection vulnerability that could allow an unauthenticated attacker to access MOVEit Transfer's database.  Structured Query Language (SQL) allows queries and commands to be executed against a relational database. An injection vulnerability allows an attacker to manipulate one of these queries to exploit a system to retrieve data or make changes.

In this case, an attacker could pull data from the database that would otherwise be secured, execute their own SQL queries, and change and delete data. This vulnerability affects versions of MOVEit before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1) as well as versions using the following engines to host the actual database: MySQL [open-source relational database management system], Microsoft SQL Server [Microsoft on-premises relational database management system], and Azure SQL [Microsoft cloud-based relational database management system]).

Reportedly, a web shell that acts as a backdoor was deployed, and data exfiltration was performed after successfully exploiting the vulnerability. However, as described in the next section, attackers can deploy any file after exploitation.

At the time of this writing, a CVSS score still needs to be assigned for the vulnerability.

What does the Deployed Web Shell Do?

Our investigation on a web shell backdoor likely installed after CVE-2023-34362 was successfully exploited revealed that all commands to the backdoor are sent through extra HTTP request headers. A password is needed to verify the attacker and allow access to the backdoor. This is sent with the "X-siLock-Comment" header. If the password is invalid, the backdoor will respond with a 404 HTTP status code to pretend the backdoor doesn't exist.

We also discovered that the web shell has the following attack flows:

1.     Delete the service account. The HTTP request headers should include the following:

• X-siLock-Comment: [password]
• X-siLock-Step1: -2

If "-2" is sent with an "X-siLock-Step1" header, the backdoor deletes any users from the "user" table in the database that has the actual name of "Health Check Service."

2.     List database files. The HTTP request headers should include the following:

• X-siLock-Comment: [password]
• X-siLock-Step1: -1

If "-1" is sent with an "X-siLock-Step1" header, the backdoor list files in the database. The file listing also includes file metadata. It tries to include the file's id, name, and size. It also tries to display the file's location (folder path) and which user owns/uploaded the file. The listing also tries to include which institution the file is associated with.

3.     Create a new service account. The HTTP request headers should include the following:

• X-siLock-Comment: [password]
  
• X-siLock-Step1: [arbitrary institution id]

If an integer is sent with an "X-siLock-Step1" header, and it isn't "-1" or "-2", the backdoor assumes it is an institution id. Institution ids can be enumerated from step 2 in the attack flow when the database files are listed. The attacker is trying to create a new service account for a specific institution. To ensure step 1 in the attack flow was successful, this command first looks for users with an active session and a permission level of "30" belonging to the institution. If no account with the real name of “Health Check Service” exists, the backdoor creates a new username containing 16 random alphanumeric characters. It inserts that as the new Health Check Service account for the specified institution. It then tries to add that to the list of currently active sessions using the IP address 127.0.0.1 since the service account is supposed to be local.

4.     Download arbitrary files. The HTTP request headers should include the following:

• X-siLock-Comment: [password]
• X-siLock-Step1: [arbitrary institution id]
• X-siLock-Step2: [arbitrary folder id]
• X-siLock-Step3: [arbitrary file id]

If an institution id, folder id, and file id are all included, it attempts to download the file. These values can be obtained from step 2 in the overall attack flow.

How Widespread is the Attack?

While we do not know precisely how many organizations were impacted by this vulnerability, publicly available information indicates that several high-profile organizations have been compromised.

The web shell backdoor, likely deployed due to the successful exploitation of CVE-2023-34362, was submitted to a public file scanning service from the United States, the United Kingdom, Germany, Italy, India, and Pakistan. As such, potential victims could likely be located in those countries.

Has the Vendor Released an Advisory for CVE-2023-34362?

The vendor released an advisory on May 31^st, 2023, along with the timeline:

• MOVEit Transfer Critical Vulnerability (May 2023)
• MOVEit Transfer and MOVEit Cloud Vulnerability

The advisory contains Indicators of Compromise (IOCs) that can help cybersecurity professionals identify attacks leveraging CVE-2023-34462.

Has the Vendor Released a Patch for CVE-2023-34362?

Yes. A vendor patch was released on May 31^st, 2023.

What is the Status of Protection?

FortiGuard Labs has the following AV signature available for the available web shell backdoor samples reportedly deployed after CVE-2023-34362 was exploited:

• JS/TiMove.A!tr.bdr

FortiGuard Labs released the following IPS signature for CVE-2023-34362 in version 23.570:

• Progress.MOVEit.Transfer.Unrestricted.File.Upload

Webfiltering blocks Network IOCs listed on the security advisory issued by Progress.

For a comprehensive list of protections from FortiGuard Labs, please visit the Outbreak Alert page for further details.

Is Mitigation Available?

Yes, the vendor advisory contains mitigation that can be applied before applying the vendor patch.

Conclusion

CVE-2023-34362 has allegedly been leveraged by the Cl0p ransomware threat actor to compromise multiple organizations for data exfiltration and other malicious activities. Now that the vulnerability has gained public attention, we expect other threat actors to also leverage this vulnerability, and new attempts at exploitation will likely be accelerated. As such, FortiGuard Labs strongly urges MOVEit Transfer users to apply all patches and implement mitigations provided by the vendor as soon as possible.

FortiGuard Labs will continue to actively monitor the situation for further insights and provide additional information about protections as they become available.

IOCs

File IOCs

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.