APT28 Potentially Exploiting MOVEit Zero Day
June 1, 2023
The DeepSeas cyber threat intelligence crew has observed exploitation of a zero-day exploit in US-based Progress’s MOVEit Managed File Transfer Software service. Further investigation by DeepSeas has uncovered a possible overlap with infrastructure known to be operated by the Russian state-aligned advanced persistent threat group Fancy Bear (aka APT28). Whether this activity is the sole handiwork of Fancy Bear remains unknown at this point, as does the scope and scale of their activities. It is currently unknown if this is a full-blown supply chain compromise of MOVEit or automated exploitation of an existing vulnerability; DeepSeas suspects the latter.
Attribution of this exploitation to APT28 is tentative at this point.
Review of public literature and discussion regarding this potential zero-day suggests that a previously unidentified vulnerability is being actively exploited by attackers intent on stealing proprietary information from various companies utilizing this software.
MOVEit Zero Day – Background
Discussion among information technology professionals on open source suggests that active exploitation of this potential zero day began over the US Memorial Day weekend, and that large amounts of data were exfiltrated from these instances. Based on the notification from Progress, it is possible that exploitation of this vulnerability may have begun as far back as 01 May 2023, though no specific dates were noted beyond file uploads to VirusTotal beginning on 28 May 2023. DeepSeas has observed active exploitation of this vulnerability, which was confirmed by Progress as exploitation of a SQL injection zero-day vulnerability. Review of the submitters of samples related to this activity identified potential victims in the United States, Germany, India, Pakistan, Italy, and the United Kingdom, suggesting both a rapid and worldwide mass exploitation rather than targeted attacks, though additional investigation will be required to verify this.
MOVEit Zero Day – Technical Details
Progress MOVEit released the following notes in a critical vulnerability notification:
Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch.[i]
No technical details of the vulnerability were released by Progress, though a temporary preventative measure was offered:
Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. This will, for all intents and purposes, disable use of MOVEit save for a few specific use cases; only SFTP and FTP protocols will remain in operation.
Progress also urged customers to look for creation of unexpected files in the c:\MOVEit Transfer\wwwroot\ folder on all MOVEit Transfer instances, including back-ups, as well as searching logs for unexpected and/or large file downloads.
MOVEit Zero Day – Detection Opportunities
Several potential indicators of compromise were noted by the community:
- Look for a file named human2.aspx in the wwwroot folder of the MOVEit install directory; this is potentially a web shell utilized by the attackers. The web shell code looks for an inbound request containing a header named X-siLock-Comment and will return a 404 “Not Found” error if the header was not populated with a specific password-like value.[ii] Other HTTP headers include X-siLock-Step[1-3].
- Other locations for artifacts of compromise may be present in the C:\Windows\Temp and \microsoft.net\Framework64\ folders: “A new DLL file starting with App_web_randomchars.dll. If you have two, the one from around the last week or so would be the ‘bad’ one under c:\windows\microsoft.net\framework64\v…\temporary asp.net files/root/RANDOMCHARS/RANDOMCHARS/ then a library. IF YOU HAVE TWO App_Web_randomchars.dll YOU’VE PROBABLY BEEN COMPROMISED. There should only be one.”[iii]
- The presence of action=m2 in IIS logs; a post to aspx suggests that the m2 command activates human2.aspx. Investigators should verify that data is posted to human2.aspx and not human.aspx, which is a legitimate component of MOVEit.
- Search within the MOVEit database for user Health Check Service, as well as any active sessions for this user.[iv]
Indicators of Compromise
The following are the available indicators of compromise DeepSeas has observed in relation to this incident, from both public and internal sources: