For the last couple weeks, I’ve been replaying the original Dead Space trilogy - for those of you who know me, I’m a sucker for horror. For those not familiar with Dead Space, it’s a survival horror video game from 2008, with two direct sequels that continue the story, one sequel that fits in between 1 and 2, and a remake that was recently released a couple months ago. If you’re a horror and video game fan, I cannot recommend the game series enough. They’re like playable movies! Anyway, the games revolve around Issac Clarke, a space station engineer, who has the unfortunate task of trying to get a lost spaceship back online after sending out a distress signal. Upon arrival, alien beings attack the crew, and then start to reanimate said crew back to life. In the game, they’re called Necromorphs, and they are TERRIFYING. Even after playing through a few times, I still jump at certain points because of how the game is written. It’s AWESOME. But I digress.
Playing through these games again for the fourth or fifth time has made me think about how other things we keep thinking are dead keep coming back to life. Like vulnerabilities.
There’s been several vulnerabilities which have come and gone over the years, but a couple keep popping up in new and different ways wreaking havoc and making sysadmins’ life a living hell. Let’s talk about one of the latest that has come back to bite us: SQL Injection. In this case within the MOVEit Transfer and MOVEit Cloud web application frontends.
According to Progress’ MOVEit site:
MOVEit provides secure collaboration and automated file transfers of sensitive data and advanced workflow automation capabilities without the need for scripting. Encryption and activity tracking enable compliance with regulations such as PCI, HIPAA and GDPR.
So, MOVEit Transfer uses file encryption, audit logs, and other security controls to provide these secure file transfers through a web application. Unfortunately, this is where the vulnerability lies.
SQL injection is one of the best known and often used vulnerabilities for web application attacks. Properly executed, it can extract data from a website’s backend database or worse. I’m not going to get into the intricacies of SQL injection here, as we have a couple other blog posts that cover that (not to mention we do get a little more in depth with our Professionally Evil Application Security course). With that being said, I do want to talk about how this particular vuln works and what can be done to stop it…not just the SQL injection, but also the mass exploitation of the vulnerability. As of this writing, several large organizations have been affected by it, including British Airways, the BBC, Canada’s Nova Scotia province, and payroll provider Zellis, among other organizations.
According to the MOVEit vulnerability KB, the vulnerability could lead to escalated privileges and potential unauthorized access to the environment. Further research has revealed that the unauthenticated SQL injection was only the start - we have recently learned that the affected software has an even more critical flaw which can lead to full remote code execution (RCE). Huntress Labs reverse engineered the software and found the RCE, and has a pretty good write up on it on their blog.
TL;DR - The SQL injection exploit appears to steal an admin session token, followed by API tokens, uploads a file (potentially a webshell - often called human2.aspx, which is seen as an indicator of compromise [IOC]), then prepares for execution of the payload. Honestly, it’s pretty badass.
So, how can you protect yourself?
Well, first, and most importantly, if you’re using this software, disable any available HTTP/HTTPS connections to the server and PATCH IT YESTERDAY. Even though the vulnerability is no longer considered an 0-day (Progress quickly released an update which patches the feature bug now), it’s still being exploited in the wild. And believe you me, if Huntress was able to RE the software and find that RCE is available and reliable, cybercriminals have already figured that out too.
If you’re using MOVEit Cloud, then it should already be patched for your systems.
My point is this - update your software. More information about the latest updates and patches for MOVEit Transfer can be found here - MOVEit Transfer Critical Vulnerability - 31 May 2023
Once the patch has been installed, then take a look at whether or not MOVEit Transfer actually needs to be open to the public. Restricting access through firewalls and other controls is a good step towards preventing these types of attacks from happening from the internet. If external access is not needed, then ensure that all access for sharing files is internal. Use a VPN where possible - it may increase the overhead, but can prevent headaches like this in the long run.
<shameless sales pitch>
Once that’s all complete, hire us to test it all out! I mean, we are security consultants. We do pentesting, reverse engineering, security assessments, and vulnerability management, and we’re good at what we do. Contact me at aaron.moss@secureideas.com or check out our Request a Quote form, we’re glad to help out!
</shameless sales pitch>
Oh, one more thing - if you’re being chased by a Necromorph, find yourself a good Plasma Cutter…and get handy with it. ;)