Alert essentials:
A SQL Injection vulnerability allows the elevation of privileges and unauthorized access to MOVEit databases. Researchers are seeing mass exploitation of the vulnerability, resulting in extorsion, data theft, and victim sharing. Patches and mitigations are available.

Email Team

Detailed threat description:
Fortified Health Security VTM clients can search for these vulnerabilities using Nessus Professional Plugin ID 176567 in the dashboard:

  • Being a newly released vulnerability – results may be presented upon completion of your next scan. Please consult with our VTM team to understand your risks.
  • A SQL Injection has been discovered in the Progress MOVEit Transfer application.
  • Patches are available for all supported MOVEit Transfer versions
  • A backdoor uploaded during the attack, human2.asp allows hackers to download any file within
  • MOVEit and gain active sessions that allow a credential bypass. The flaw could allow an unauthenticated attacker to gain unauthorized access to MOVEit databases.
  • Mitigations are also available and include:
    • Delete any instances of the human2.aspx and .cmdline script files
    • Disabling all HTTP/HTTPS traffic to the MOVEit Transfer environment
    • Delete any unauthorized files and accounts
    • Reset service account credentials for affected systems and the MOVEit service account

Impact on healthcare organizations
Secure, efficient movement of files in a healthcare organization accelerates the delivery of patient care. However, file transfer applications greatly increase an attack surface in a network. Vulnerabilities in these applications can have varied effects, up to the loss of the entire network. Removing accessibility to technology can have devastating impacts on patient diagnosis and treatment.

Affected products / versions

  • In Progress MOVEit Transfer Versions before:
    • (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1)
  • Unaffected Products are:
    • MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely.
    • Currently, no action is necessary for the above-mentioned products.
  • CVE subsection (if applicable)
    • CVE-2023-34362

Recommendations

Engineering recommendations:

  • Consider isolating network connectivity from the MOVEit environment. This may be limited to ensuring that external access is restricted.
  • Look for any new MOVEit transfer files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline.
  • Likewise, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
  • Apply patches or mitigations to MOVEit environments
  • Examine the c:\MOVEitTransfer\wwwroot folder for any suspicious files created recently, such as human2.aspx or App_Web_[RANDOM].dll files with the same or similar timestamps.
  • Retain a copy of all IIS logs and network data volume logs.
  • Review accesses and privileges for these resources are only available to users who have a
    legitimate business need.

Leadership / program recommendations:

  • Direct teams to search for indicators of unauthorized access over at least the last 30 days.
  • Request logs be reviewed for any unexpected downloads of files from any unknown Ips or any large
    amount of files that have been downloaded.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: