Deepwatch Detects Webshell Activity After Suspected Exploitation of a Critical Vulnerability in Progress Software’s MOVEit Transfer Product

By Adversary Tactics and Intelligence Team

Estimated Reading Time: 7 minutes

Deepwatch does not utilize MoveIT as a vendor and is not impacted by this vulnerability.

Executive Summary

This report highlights the suspected exploitation of an unauthenticated SQLi vulnerability in Progress Software’s MOVEit Transfer product, where an unknown threat actor wrote a webshell file named “human2.aspx” to disk (Uploaded a webshell). Immediate actions are recommended, including modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443, and applying patches in accordance with patch management policies. Organizations can still maintain access to MOVEit Transfer through a remote desktop workaround. Failure to address the vulnerability may lead to unauthorized access, escalated privileges, and possible data theft.

ATI Insights & Determinations

  • An unknown threat actor is suspected of exploiting an unauthenticated SQLi vulnerability in Progress Software’s MOVEit Transfer product.
  • The threat actors uploaded a webshell file (wrote to disk) named human2.aspx following the suspected exploitation of the vulnerability
  • Affected MOVEit versions include: 2023.0.0, 2022.1.x, 2022.0.x, 2021.1.x , and 2021.0.x.
  • Organizations should expect an uptick in exploitation attempts likely target organizations across multiple sectors, such as finance, insurance, healthcare, government, and technology.
  • The suspected exploitation of MOVEit Transfer is reminiscent of CL0P Ransomware Group’s mass exploitation of zero-day vulnerabilities in GoAnywhere MFT zero-day in January 2023, and Accellion FTA servers in December 2020.
  • Progress recommends that organizations immediately disable all HTTP and HTTPs traffic to your MOVEit Transfer environment and apply patches per your patch management policy for all supported MOVEit Transfer versions.

Introduction

This cyber threat intelligence report provides a comprehensive analysis of the suspected exploitation of an unauthenticated SQLi vulnerability in Progress Software’s MOVEit Transfer product. The purpose is to assess the extent of the compromise, identify potential access and post-compromise activity, and provide recommendations for mitigation and remediation. The scope and objectives of this report focus on the detection and analysis of the webshell activity and how it relates to the suspected vulnerability exploitation, including examination of indicators of compromise (IOCs) and an assessment of the potential impact on affected systems and data. The methodology encompasses detection and analysis techniques such as network traffic and log analysis. Data sources include network traffic logs, system logs, and open-source intelligence, while limitations and assumptions include incomplete data, access constraints, and assumptions about the threat actor’s motivations and capabilities.

Overview & Background

On 31 May 2023, Progress discovered a vulnerability in its MOVEit Transfer product, stating that successful exploitation could lead to privilege escalation and potential unauthorized access to the environment.

On the morning of the next day, Deepwatch detected an unknown threat actor exploiting an unauthenticated SQLi vulnerability in Progress Software’s MOVEit Transfer product in a single organization operating in the Finance and Insurance sector. The actor wrote a webshell file to disk, indicating the exploitation of the vulnerability.

Progress Software’s MOVEit Transfer is a managed file transfer (MFT) solution designed to securely and reliably transfer sensitive data within organizations and across business ecosystems. An auditable file transfer process enables businesses to replace other methods, such as email, FTP, and physical media. MOVEit Transfer caters to enterprises and organizations operating in highly regulated industries such as healthcare, finance, government, and manufacturing, where protecting sensitive data is paramount.

Webshells are malicious scripts or code that allow threat actors to maintain persistent access and control over a compromised web server or application. They provide a command-line interface or graphical user interface (GUI) that enables threat actors to execute commands, manipulate files, and carry out various actions on the compromised system. Threat actors utilize webshells to exploit vulnerabilities in web applications or servers, establishing a persistent foothold.

The threat actor demonstrates an understanding of managed file transfer (MFT) platforms, focusing on exploiting vulnerabilities within these systems. The suspected exploitation of the unauthenticated SQLi vulnerability in MOVEit Transfer may indicate technical skills and knowledge of SQLi techniques. Following the initial compromise, the actor deployed a webshell file named “human2.aspx” on the compromised system, providing them with persistent access and the ability to execute arbitrary commands.

Furthermore, the behavior of the threat actor aligns with data theft and extortion practices. Similar to the CL0P Ransomware Group, known for targeting GoAnywhere MFT and Accellion FTA servers, the current threat actor may steal data from compromised systems and leverage it for extortion—reports of numerous organizations experiencing data theft using the exploited zero-day vulnerability further support this assessment.

Initial Access

An unknown threat actor is suspected of achieving initial access by exploiting an unauthenticated SQLi vulnerability in internet-facing Progress Software’s MOVEit Transfer product. The Adversary Tactics and Intelligence team continues investigating the methods and activities used for gaining access. 

Given the details disclosed publicly, the suspected exploitation of the MOVEit Transfer is reminiscent of the mass exploitation of zero-day vulnerabilities in GoAnywhere MFT zero-day in January 2023, and Accellion FTA servers in December 2020. Both of which are managed file transfer platforms that were exploited by the CL0P Ransomware Group to steal data and extort organizations.

Post-compromise Activity

Deepwatch observed the threat actors wrote to disk a webshell file named human2.aspx following the suspected exploitation of the vulnerability. This name matches the name of a webshell file shared by Huntress Labs in a Reddit post. In the post, Huntress Labs stated that they “have uncovered single-digits of hosts with the currently known indicator of compromise: C:\MOVEitTransfer\wwwroot\human2.aspx.” The Adversary Tactics and Intelligence team continues to investigate this file to confirm if it’s the same file observed by Huntress Labs and for follow on activity. In an article by Lawerence Abrams for Bleeping Computer, it’s reported that “BleepingComputer is aware of numerous organizations that have had data stolen using the zero-day.”

Outlook

Looking ahead, organizations should expect an uptick in exploitation attempts targeting the unauthenticated SQLi vulnerability in Progress Software’s MOVEit Transfer product. As news of the vulnerability spreads, threat actors will likely target organizations across multiple sectors, such as finance, insurance, healthcare, government, and technology. To stay prepared, organizations should anticipate more sophisticated attack techniques and be vigilant in updating their security measures to mitigate these evolving threats.

Be On the Lookout (BOLO)

We recommend that all customers retrospectively hunt for malicious activity, which will likely indicate compromise, using the threat hunting guidance provided below and the observables listed in the observables sections below.

  • Unauthorized/unexpected web log entries relating to “human2.aspx” or other anomalous script files inside C:\MOVEitTransfer\wwwroot\
    • Ex. C:\MOVEitTransfer\wwwroot\human2.aspx
  • General creation of unexpected files in the c:\MOVEit Transfer\wwwroot\directory
    • This includes backups 
  • Unexpected large file transfers relating to the IP address of the appliance or MOVEit logs/files in installation directory
  • Presence of “Health Check Service” user  in the MOVEit user database
    • May also be visible within session data for MOVEit database

Recommendations

Progress recommends organizations immediately apply the following mitigation measures:

Disable all HTTP and HTTPs traffic to your MOVEit Transfer system, specifically:

  • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. If you require additional support, please immediately contact Progress Technical Support by opening a case via https://community.progress.com/s/supportlink-landing.

It is important to note, that until HTTP and HTTPS traffic is enabled again:

  • Users will not be able to log on to the MOVEit Transfer web UI  
  • MOVEit Automation tasks that use the native MOVEit Transfer host will not work 
  • REST, Java and .NET APIs will not work 
  • MOVEit Transfer add-in for Outlook will not work 
  • Please note: SFTP and FTP/s protocols will continue to work as normal

Progress provides the following guidance for organizations that must maintain access by using a remote desktop to access the Windows machine and then accessing https://localhost/.  For more information on localhost connections, please refer to MOVEit Transfer Help documentation.

The Adversary Tactics and Intelligence team recommends organizations apply patches in accordance with their patch management policy for all supported MOVEit Transfer versions. Additionally, due to reporting the exploitation of the vulnerability to steal data from organizations, it is recommended to review data transfer in relevant logs. 

Sources

MITRE ATT&CK

T1190 Exploit Public-Facing Application
T1059 Command and Scripting Interpreter

Observables

human2.aspx
Webshell file name 

104.248.229[.]49
167.99.13[.]19
IP addresses observed by Deepwatch communicating with human2.aspx

5.252.191[.]14
IP address communicated with human2.aspx as reported by Huntress Labs 

138.197.152[.]201
IP address reported by Huntress Labs

209.97.137[.]33
IP address reported by Huntress Labs

89.39.105[.]108
IP address reported by Huntress Labs

2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc548367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e09d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24ab1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272c56bcb513248885673645ff1df44d3661a75cfacdce485535da898aa9ba320d4d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562efe5f8388ccea7c548d587d1e2843921c038a9f4ddad3cb03f3aa8a45c29c6a2f
SHA256 Hashes reported by TrustedSec

Note:
Observables are properties (such as an IP address, MD5 hash, or the value of a registry key) or measurable events (such as the creation of a registry key or a user) and are not indicators of compromise. The observables listed below are intended to provide contextual information only. Deepwatch evaluates the observables and applies those it deems appropriate to our detections.

Observing sets of these properties (observables) could be an indicator of compromise. For instance, observing an IP address, creation of a user with admin privileges and a registry key could be indicators of compromise and should be investigated further.

Share

LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog