Last updated at Thu, 10 Aug 2023 20:55:31 GMT
注意: 截至6月2日, 2023, cve - 2023 - 34362 has been assigned to the original MOVEit Transfer zero-day 脆弱性. 到目前为止, additional MOVEit Transfer CVEs have been 披露 和 patched on 6月9日, 6月15日, 及七月六日, 2023. 进度有更新 在这里 和 在这里. Rapid7 recommends updating MOVEit Transfer immediately for all critical CVE releases.
Rapid7 managed services teams are observing exploitation of a critical zero-day 脆弱性 (cve - 2023 - 34362) in Progress Software’s MOVEit Transfer solution across multiple customer environments. We have observed an uptick in related cases since the 脆弱性 was 公开披露 5月31日, 2023; Rapid7 intelligence indicates that the threat actors leveraging cve - 2023 - 34362 have exploited a wide range of organizations, 尤其是在北美.
MOVEit Transfer customers should prioritize remediation on an 紧急的基础 和 should invoke emergency incident response procedures if any 妥协指标 are found 在ir environments. Note that while updating to a fixed version will help protect against future exploitation, 仅仅打补丁是不足以解决潜在威胁行为者对已经被破坏的系统的访问.
Rapid7 has a full in-depth technical analysis of the remote code execution exploit chain for cve - 2023 - 34362 in AttackerKB.
Background
Progress Software published an 咨询 周三, 5月31日, 2023 warning of a critical SQL injection 脆弱性 在ir MOVEit Transfer solution. 该漏洞是一个SQL注入漏洞,允许远程攻击者未经授权访问MOVEit Transfer的数据库. The 咨询 notes that "depending on the database engine being used (MySQL, 微软 SQL Server, 或Azure SQL), 除了执行更改或删除数据库元素的SQL语句外,攻击者还可能推断出有关数据库结构和内容的信息...exploitation of unpatched systems can occur via HTTP or HTTPS."
截至6月2日, cve - 2023 - 34362 has been assigned to this issue. The 脆弱性 was exploited by threat actors at least four days prior to the 咨询, Progress Software建议MOVEit的客户在“至少过去30天”内检查未授权访问的迹象."
As a result of large-scale community attention on cve - 2023 - 34362, Progress Software 发布新补丁 for cve - 2023 - 35036, a second SQL injection 脆弱性, on Friday, 6月9日. One of the files changed appears to be moveitisapi.dll, which our research team confirmed plays a role 在 original attack chain. All versions of MOVEit Transfer are affected by this second 脆弱性, which is not yet known to be exploited 在 wild.
6月15日,星期四,进步 披露 a third 脆弱性 that has now been assigned CVE-2023-35708.
As of 5月31日, t在这里 were roughly 2500个实例 of MOVEit Transfer exposed to the public internet, the majority of which look to be 在 United 状态s. Rapid7 has previously analyzed similar SQLi-to-RCE flaws in network edge systems; these types of vulnerabilities can provide threat actors with initial access to corporate networks. File transfer solutions have also been 受欢迎的目标 for attackers, including ransomware groups, in recent years.
微软 由于 the MOVEit Transfer zero-day attacks to Lace Tempest, a threat actor previously linked to Cl0p ransomware, 数据失窃, 以及勒索攻击. 6月6日, Cl0p团伙在他们的泄密网站上发布了一条信息,要求受害者在6月14日之前与他们联系,以协商删除被盗数据的勒索费用. Rapid7 threat intelligence captured the below screenshot of the threat group's dem和s.
观察到的攻击者行为
到目前为止,Rapid7服务团队已经确认了至少可以追溯到5月27日和5月28日的妥协和数据泄露指标, 2023(分别). Our teams have observed the same webshell name in multiple customer environments, which may indicate automated exploitation.
The adversary behavior our teams have observed so far appears to be opportunistic rather than highly targeted; the uniformity of the artifacts we’re seeing could plausibly be the work of a single threat actor throwing one exploit indiscriminately at exposed targets. M和iant has additional analysis supporting this theory 在这里.
Rapid7 analyzed a sample webshell payload associated with successful exploitation. The webshell code would first determine if the inbound request contained a header named X-siLock-Comment, would return a 404 "Not Found" error if the header was not populated with a specific password-like value. 截至6月1日, 2023, all instances of Rapid7-observed MOVEit Transfer exploitation involve the presence of the file 人类2.aspx 在 wwwroot文件夹 of the MOVEit install directory (人类.aspx is the native aspx file used by MOVEit for the web interface).
缓解指导
All MOVEit Transfer versions 之前 5月31日, 2023 are vulnerable to cve - 2023 - 34362. Fixed versions of the software are available (see table below), patches should be applied on an 紧急的基础. 在一个 6月5日更新, Progress Software强调,用户只应该直接从知识库文章中下载补丁,而不是从第三方来源下载.
The below MOVEit Transfer versions were the latest as of 6月9日, 2023, included fixes for cve - 2023 - 34362 和 cve - 2023 - 35036. 注意: New versions are being released to fix CVE-2023-35708 as of June 16. We will update this list as we are able, but please refer to Progress Software的建议 查阅最新资料.
- MOVEit Transfer 2023.0.2
- MOVEit Transfer 2022.1.6
- MOVEit Transfer 2022.0.5
- MOVEit Transfer 2021.1.5
- MOVEit Transfer 2021.0.7
A special patch is available for MOVEit Transfer 2020.1.x (12.1). 2020年的用户.0.x (12.0) or older must upgrade to a supported version. Progress software has full up-to-date details 和 documentation on affected versions, along with installers 和 DLL drop-ins for fixed versions, in 他们6月9日的建议. We encourage MOVEit Transfer users to make the 5月31日, 6月9日, 6月15日 advisories their source of ground truth, along with the 概述页面 Progress Software创建了.
MOVEit Cloud is also affected 和 has been patched globally. MOVEit Transfer users who leverage the 微软 Azure integration should 旋转 他们的Azure存储密钥.
MOVEit Transfer客户应设置防火墙规则,在cve - 2023 - 34362补丁生效前,禁止HTTP和HTTPs流量通过MOVEit Transfer的80和443端口. Users should also delete any unauthorized files or user accounts (e.g., .cmdline脚本, 人类2.aspx 实例).
根据运动 咨询, organizations should look for 妥协指标 dating back at least a month. Progress Software also lists IOCs 在ir 咨询.
识别数据泄露
Rapid7事件响应顾问已经确定了一种方法来确定从受感染的MOVEit客户环境中泄露的内容. MOVEit writes its own Windows EVTX file, which is located at C:\Windows\System32\winevt\Logs\MOVEit.evtx. The MOVEit event logs contain a single event ID (Event ID 0) that provides a plethora of information, 包括文件名, 文件路径, 文件大小, IP地址, username that performed the download.
Progress Software的工程团队告诉Rapid7,虽然MOVEit Transfer默认情况下没有启用事件日志记录, it's common for their customers to enable it post-installation. T在这里fore, many instances of the MOVEit application may have these records available on the host.
受影响的组织和事件响应者可以使用此信息来确定哪些数据以及泄漏了多少数据, which may also aid in meeting regulatory compliance st和ards w在这里 applicable. 注意: It is critical that MOVEit customers capture this log data 之前 wiping or restoring the application from an earlier backup. Security firm CrowdStrike also has 一个导游 on querying SQL databases directly for exfiltrated data.
Obtaining file download reports from MOVEit Transfer
Rapid7 thanks Progress Software for providing the following information.
Progress Software团队表示,MOVEit Transfer审计日志存储在数据库中,可以直接查询,也可以通过MOVEit Transfer内置的报告功能查询. An admin could create a new Custom Report inside of MOVEit with the following values:
字段 : *
表 : 日志
Criteria: Action = 'file_download' AND (LogTime LIKE '2023-05%' OR LogTime LIKE '2023-06%')
保存并运行该报告将返回今年5月和6月审计日志中的所有File Download操作, 包含所有相关字段. The ‘Fields’ value could then easily be limited to just the relevant data from that point.
Rapid7客户
InsightVM 和 Nexpose customers can assess their exposure to cve - 2023 - 34362, cve - 2023 - 35036, CVE-2023-35708 with both authenticated 和 remote 脆弱性 checks. Checks for CVE-2023-35708 are available as of the June 16 content release; InsightVM 和 Nexpose customers should ensure they are using the latest content version. Authenticated 脆弱性 checks are supported by both the Scan Engine 和 the Insight Agent.
The following rules have been added for Rapid7 Insight IDR 和 Managed 检测 响应 (耐多药) customers:
- Suspicious Web Request - Webshell Related To MOVEit Exploit
- Suspicious Process - MOVEit Transfer Exploitation
T在这里 are two 伶盗龙 artifacts available, one for Evtx范围 另一个是 检测.
InsightCloudSec客户可以使用“超过90天且未轮换访问密钥的存储帐户”洞察力来识别需要轮换的访问密钥. Customers can also identify related risk factors, such as resources that are publicly accessible, 禁用加密, or have threat protection disabled. Custom filtering is available, as well.Finally, InsightCloudSec enables mitigation through bot automation.
更新
2023年6月3日: Specified exploitation timeline 和 attacker behavior Rapid7 has observed so far, 新增MOVEit Transfer 2021.0.6 to the fixed versions table, added more specific 脆弱性 details.
2023年6月4日: 更新注意:Rapid7事件响应人员已经确定了一种方法,可以确定从MOVEit客户环境中泄漏了哪些数据以及泄漏了多少数据. Updated to note that MOVEit customers leveraging the 微软 Azure integration should 旋转 their storage keys.
2023年6月4日: 更新了从MOVEit Transfer获取文件下载数据的指导-我们感谢Progress Software团队.
2023年6月5日: MOVEit云实例已完全修补(Progress Software已要求我们注意云实例已于5月31日修补), 虽然他们的 咨询 did incorporate guidance for MOVEit Cloud until June 4, per the changelog). Also added link to latest vendor update, noted 微软 attribution. 更新了使用InsightCloudSec识别和降低未旋转访问密钥和未保护资源相关风险的信息.
2023年6月6日: 更新 a summary of the Cl0p gang's extortion dem和s 和 the deadline for contact. 增加了CrowdStrike的链接 指南 on identifying exfiltrated data. 为简洁起见进行了编辑.
2023年6月9日: Updated to note that Progress Software has released new versions of MOVEit Transfer to fix a second 脆弱性, 谁的CVE还在等待中. 更新了缓解指南部分,以突出显示最新版本的MOVEit Transfer(针对两个cve打了补丁),并将读者指向建议和概述页面.
2023年6月12日: 更新 Rapid7's full technical analysis of the exploit chain for cve - 2023 - 34362. InsightVM和expose客户现在还可以通过远程和身份验证漏洞检查来评估他们对cve - 2023 - 35036的暴露情况.
2023年6月13日: 更新以澄清Rapid7对InsightVM和expose客户提供了远程和身份验证的漏洞检查,用于MOVEit传输漏洞(cve - 2023 - 34362), cve - 2023 - 35036).
2023年6月15日: Updated to note Progress has 披露 an additional 脆弱性 in MOVEit Transfer (CVE pending).
2023年6月16日: 更新 CVE-2023-35708 (third MOVEit Transfer 脆弱性) information. The full list of latest fixed versions is still pending. 请参考 进步的咨询 查阅最新资料. InsightVM和expose客户现在可以在6月16日发布的仅内容版本中使用身份验证和远程漏洞检查来评估他们对CVE-2023-35708的暴露.
2023年7月7日: Progress Software has 披露 three additional CVEs in MOVEit Transfer as of July 6, 2023. CVE-2023-36934是一个严重的SQL注入漏洞,可能允许未经身份验证的攻击者访问MOVEit Transfer数据库. CVE-2023-36932是一个严重的SQL注入漏洞,可以允许经过身份验证的攻击者访问MOVEit Transfer数据库. CVE-2023-36933 is an exception h和ling issue that could allow an attacker to crash the application. Fixed versions are available: Mitigation directions 和 latest versions are in Progress Software的建议 在这里.
InsightVM和expose的客户将能够通过计划于7月7日发布的经过验证的漏洞检查来评估他们对所有三个cve的暴露情况, 2023年内容发布.
