Active Malware Campaign - MOVEit Transfer - CVE-2023-35708

Usage and Config Patch
1

We have seen news reports of active, widespread attacks exploiting the MOVEit Transfer server application. We want to ensure our customers are aware of the attacks described at https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/ and the associated vendor bulletins at https://www.progress.com/security/moveit-transfer-and-moveit-cloud-vulnerability

While BigFix does not currently offer patch coverage on this product, you should be able to identify whether your systems could be affected by checking for ‘MOVEit Transfer’ in the following product areas:

  • BigFix Inventory, using the “Package Data” report
  • The “Application Information (Windows)” Analysis in the “BES Inventory and License” site from the Console, and the associated Web Reports
  • We added this to the Known Exploited Vulnerabilities Content Pack as well, with a fixlet to specifically audit systems for these vulnerabilities.
    • This vulnerability is reported in the CyberFOCUS Web Report if you have the KEV Content Pack. It also appears in CVE Search Dashboard.
  • As of 6/16/2023 we have published 2 detection fixlets in Updates for Windows Applications

This relates to the following CVEs:

7 Likes
2

The way to silently install it is here: https://community.progress.com/s/article/Silent-Install-Guide

If someone has an example response file but with their license info / specifics redacted, that would be helpful.

The download to upgrade it can be found here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-CVE-2023-35036-June-9-2023

Prefetch for it:

prefetch MOVEit-Transfer-FullInstall.exe sha1:c2f1df684f1dd50f16da02725946183270ed5aaa size:357127104 https://cdn.ipswitch.com/ft/MOVEit/Transfer/2023/2023.0.2/MOVEit-Transfer-2023.0.2-FullInstall.exe sha256:ca48b55254f58c98c8b635a7992f9872825a5185d1d248f80b93f13b9848f45d

It seems to report itself as version “15.0.2.49” even though in the download url it is “2023.0.2” - Can anyone confirm how it reports in the windows registry uninstall key in terms of DisplayName and DisplayVersion?

Would be helpful to share results from the following session relevance:

unique values whose(it as lowercase contains "moveit") of values of results of bes properties whose(name of it as lowercase contains "Installed Applications - Windows" as lowercase)

Seems like the DisplayName contains MOVEit Transfer

3

I think this is the correct relevance for detection of CVE-2023-35036 :

exists (it as string as version) whose( (it = "15" AND it < "15.0.2") OR (it = "14.1" AND it < "14.1.6") OR (it = "14.0" AND it < "14.0.5") OR (it = "13.1" AND it < "13.1.5") OR (it = "13.0" AND it < "13.0.7") OR (it = "12.1" AND it < "12.1.9") OR (it < "12.1") ) of values "DisplayVersion" of keys whose(value "DisplayName" of it as string as lowercase contains "MOVEit Transfer" as lowercase) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)

The new CVE published today would be detected with:

exists (it as string as version) whose( (it = "15" AND it < "15.0.3") OR (it = "14.1" AND it < "14.1.7") OR (it = "14.0" AND it < "14.0.6") OR (it = "13.1" AND it < "13.1.6") OR (it = "13.0" AND it < "13.0.8") OR (it = "12.1" AND it < "12.1.10") OR (it < "12.1") ) of values "DisplayVersion" of keys whose(value "DisplayName" of it as string as lowercase contains "MOVEit Transfer" as lowercase) of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries; x32 registries)
1 Like
4

You may want to update the code to:

... contains "MOVEit Transfer" as lowercase

Now Corrected… :slight_smile:

2 Likes
5

lol, yep. I just caught that.

6

This fixlet for detecting this vulnerability is published in Updates For Windows Applications now: https://github.com/jgstew/bigfix-content/blob/main/fixlet/MOVEit%20Transfer%20Vulerability%20CVE-2023-35036%20Detected!%20-%20Windows.bes

See the announcement here: Content Modification: Updates for Windows Applications published 2023-06-16

This preliminary fixlet for remediation is NOT planned to be published because it has problems, as it seems to require embedding admin creds in order to silently install: https://github.com/jgstew/bigfix-content/blob/main/fixlet/Update_%20MOVEit%20Transfer%20v15.0.2.49%20-%20Windows%20(x64)%20-%20BETA.bes

We would recommend quarantining affected systems and remediation by hand.

3 Likes
7

This is the newest detection fixlet for the newest CVE that was assigned TODAY!

I would expect this to be added to Updates for Windows Applications soon.

Also, apparently I can’t spell. (this was not a surprise to me) So spelling mistakes will also be corrected in an upcoming publish.

Also, it seems I was missing as lowercase in the fixlets, which @itsmpro92 pointed out, but it seems I forgot to update the fixlet itself to reflect that, even though I updated the forum post. The GitHub copies have been fixed, the currently published fixlet needs to be fixed as well.

If you have grabbed a copy from GitHub make sure you grab it again to get the fixes.

1 Like
8

The fixlet has been added under Updates for Windows Application with the below relevance.

image
image1495×301 23.3 KB

1 Like
9

The relevance is incorrect and is being fixed in the next hour or so, plus a new fixlet for the new CVE being published at the same time.

You could make a custom copy and add the above, but you could also just wait a bit.

UPDATE: new content published

10

YARA Scan Available (BETA)

I’ve created a Task and Analysis to perform a YARA scan for known Indicators-of-Compromise (IoC) based on known attacks exploiting the MOVEit vulnerabilities. This is Community Content, not officially supported BigFix content, and is provided as-is. See Log4j Vulnerability Identification and 3rd Party Remediation Solution Testing Statement

If you think this may be useful, refer to the following link to my GitHub to find a Scan Task and an Analysis to process the results. Depending on feedback, if you find this useful we may consider adding to our content library.

The Task will download YARA (for Windows 64-bit), configure a Signature (thanks to Florian Roth, https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/?utm_content=251159938&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306 ), execute a scan, and save results to `C:\Program Files (x86)\BigFix Enterprise\BES Client\yara\results

The associated Analysis from the GitHub repo will retrieve the results of the scan. Expected false-positives are ignored & not reported in the Analysis. (It is normal for the raw scan results to have false-positives based on YARA signatures matching against themselves, i.e. matching the actual signature file, the script that generates the signature file in the action.fxf file, and references to the signature in ActionHistory.db).

Be aware that the scan is executed with no throttling, and by default scans against all local hard drives. This particular YARA scan should be targeted only to those machines that actually have MOVEit installed, and when scanning multiple systems be sure to stagger the scans over time, especially for scanning across VMs or systems with shared storage.

For help on actually downloading the files from GitHub, see Tips: Downloading files from GitHub
Once downloaded, these can be added to a Custom Site using the ‘File->Import’ function in the BigFix Console.

4 Likes
11

Attention BigFix’ers, we’re hosting a live Webinar to discuss our response. Starts in 20 minutes, see 20-June Webinar: Address the MOVEit Vulnerability with BigFix for registration details (and playback the recordings later)

2 Likes
12

I created a fixlet to block HTTP and HTTPS incoming traffic on port 80 and port 443 if MOVEit Transfer is installed, which is one of the first mitigation strategies to take. See here:

I also updated the fixlet referenced above to download the installer for the newest version of MOVEit

3 Likes