News

Zero-Day Vulnerability in MOVEit

I. Targeted Entities

  • MOVEit Customers

II. Introduction

A critical SQL injection vulnerability has been discovered in MOVEit, a managed file transfer software. Exploiting this flaw, remote attackers gained unauthorized access to the database, enabling them to execute arbitrary code.

III. Additional Background Information

The Cybersecurity & Infrastructure Security Agency has issued an alert about the use of a SQL injection vulnerability in the MOVEit Transfer web application, CVE-2023-34362. This could allow an unauthenticated attacker to gain access to MOVEit Transfer’s database. According to its development company Progress, an attacker may be able to infer information about the structure and contents of the database and execute SQL queries that alter or delete data, depending on the database engine that is being used, such as MySQL or Azure SQL (Progress). All versions of MOVEit Transfer are affected by this vulnerability (Pernet), and the exploitation of the MOVEit Transfer environment can occur via HTTP or HTTPS.

An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable MOVEit Transfer instance (Tenable). On compromised systems, unauthorized access may appear as unexpected file creation in the MOVEit Transfer root folder c:MOVEit Transferwwwroot or appear similar to exfiltration traffic such as unexpected large file downloads and uploads (Kroll) from unknown IP addresses (Pernet).

The threat actors deployed a LEMURLOOT web shell named human2.aspx located in the wwwroot folder of the MOVEit install folder. The file name has probably been chosen to remain unnoticed since another legitimate component of the software called human.aspx is used by MOVEit for its web interface. The web shell’s access is protected by a password. Attempts to connect to the web shell without the proper password results in the malicious code providing a 404 Not Found error (Pernet).

LEMURLOOT is written in C# and is designed to interact with the MOVEit Transfer environment. The malware can authenticate incoming connections using a hard-coded password and after successfully breaching into the system, it can run multiple commands and scripts from the X-siLock-Step1 – 3 fields that will download sensitive files from the MOVEit Transfer database, extract Azure system settings, retrieve detailed record information, create and insert a particular user, or delete this same user. Data returned to the system interacting with the LEMURLOOT web shell is gzip compressed (Mandiant)

The vulnerability is known to affect all versions of the MOVEit Transfer product with the earliest known exploitation dating to May 27, 2023 (Mandiant). Patches are available for all years of the MOVEit Transfer product. Currently, other MOVEit products such as MOVEit Automation, Client, Mobile, Gateway, etc. are not susceptible to vulnerability and do not require any immediate action (Progress).

IV. MITRE ATT&CK

  • T1190 – Exploit Public Facing Application
    Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet-accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion.
  • T1059.001 – Command and Scripting Interpreter: PowerShell
    Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
  • T1059.003 – Server Software Component: Web Shell
    Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.
  • T1210 – Exploitation of Remote Services
    Adversaries may exploit remote services to gain unauthorized access to internal systems once inside a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel privileges to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. An adversary may need to determine if the remote system is in a vulnerable state, which may be done through Network Service Discovery or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

V. Recommendations

  • Disable HTTP and HTTPS traffic to their MOVEit transfer Environment
  • Check for indicators or unauthorized access in the last 30 days
  • Apply patches as they become readily available
  • Kroll advises MOVEit Administrators look in the “C:MOVEit Transferwwwroot” directory for suspicious .aspx files such as “human2.aspx” or “machine2.aspx”.

VI. IOCs (Indicators of Compromise)

VII. Additional OSINT Information

VIII. References

Kroll. (2023, June 7). Critical MOVEit Transfer Vulnerability (CVE-2023-34362).
https://www.kroll.com/en/insights/publications/cyber/responding-critical-moveit-transfer-vulnerability-cve-2023-34362

Mandiant. (2023, June 2). Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft.
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

Pernet, C. (2023, June 6). Zero-day MOVEit Transfer vulnerability exploited in the wild, heavily targeting North America. TechRepublic.
https://www.techrepublic.com/article/zero-day-moveit-vulnerability/

Tenable®. (2023, June 2). CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild.
https://www.tenable.com/blog/cve-2023-34362-moveit-transfer-critical-zero-day-vulnerability-exploited-in-the-wild

Progress Customer Community. (2023, June 16). Community.progress.com.
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: EJ Bulut, Benjamin Price, Erika Delvalle, Nahyan Jamil, and Alessandro Lovadina

2023-06-26T14:43:24-04:00June 23, 2023|

James “Jim” Aldrich

Jim joined the Center in July 2022 after serving over 50 years in the Intelligence Community (IC) in a variety of positions focused on Signals Intelligence (SIGINT) and Cyber Security missions as well as associated Education & Training. He is a retired Marine Corps Intelligence Officer, and Arabic linguist, who served 28 years in a wide range of assignments within the U.S. and overseas locations. After retiring in 1998, he worked for the Aerospace Corporation supporting the National Reconnaissance Office from 1998-2002 and then became a National Security Agency (NSA) employee for 20 years; the last 18 as a member of the Senior Executive Service (SES). He held several positions spanning the agency’s SIGINT and Cyber Security missions: NSA Representative to U.S. Special Operations Command, NSA Representative to U.S. Transportation Command and NSA Representative (forward deployed) in the U.S. Central Command area of responsibility. In these roles he evaluated the customers’ requirements and ensured agency resources were applied – where possible. 2004 – 2010 Jim served as the senior NSA official in Operations at the agency’s facility on Fort Gordon Georgia – focused largely on support to USSOCOM, USCENTCOM, and JSOC. Based on his breadth of experience, and previous work as both an Instructor and Course Director, he was selected to serve as the Deputy Commandant of NSA’s National Cryptologic University; responsible for orchestrating Education & Training to over 40,000 civilians and military members working with the agency. In his last assignment at NSA his office provided strategic planning support to the NSA Board of Directors and several large NSA organizations located both in the U.S. and overseas locations. Jim is a graduate of Texas A&M (BA in International Relations) and the U.S. Naval War College (MA in National Security & Strategic Studies) and has also completed several Senior Executive level leadership courses sponsored by the IC and DoD. He has been married to his wife Marilyn since 1973. Jim & Marilyn both grew up in southeastern Illinois farm country. They live near Center Hill Florida on a 14-acre horse farm. They have three adult children, ten grandchildren and a growing number of great grandchildren.

2023-06-22T10:17:14-04:00June 22, 2023|

Cyber Safety Tips for Travel

Technology is a modern-day traveler’s best friend. It can make the trip-planning process more convenient and cost-effective: booking accommodations and flights, researching must-see spots, and financial planning can all be done with a connection to the internet and a Google search. And for most of us, it doesn’t stop once we’re actually on vacation – we still use our devices to share pictures, navigate, and stay connected to the world back home.

While cyber and technology can be great for enhancing travel, there are also risks associated with planning your travel online. Cyber travel scams such as fake websites and juice jacking are becoming increasingly common, which is why it’s essential to consider your assets in the digital world before heading off to explore the physical one.

As you prepare to embark on your next adventure, consider the following tips from the National Cybersecurity Association and the Cybercrime Support Network to help you remain protected against cyber travel scams and ensure that your biggest worries this summer are high humidity levels and reapplying SPF.

Common Cyber Travel Scams

Fake Websites

There are dozens of online sites claiming to offer the best travel deals and packages. A good rule to remember in this instance is: if it seems too good to be true, it probably is. Scammers create fake travel booking websites that look like legitimate ones, but are designed to steal your money and personal information. They might offer attractive deals on flights, hotels, and vacation packages, but when you make a payment, your money goes straight into the scammers’ pockets.

Wi-Fi Hotspot Scams

Scammers set up fake Wi-Fi hotspots in public places like airports, cafes and hotels. These fake hotspots often have legitimate-sounding names—such as “Free Airport Wi-Fi” or “Hotel Guest Wi-Fi”— but they are designed to steal your personal information. Once you connect to the fake Wi-Fi network, the scammers can intercept your internet traffic and gain access to your sensitive information—such as passwords, credit card numbers and other personal data.

Prize Scams

Prize scams involve scammers contacting you to say that you’ve won a free vacation, cruise or other travel prize. However, in order to claim your prize, you have to pay for taxes, fees or other expenses upfront. Once you pay, the scammers disappear, and you never receive your prize.

Vacation Rental Scams

Vacation rental scams involve scammers listing fake vacation rentals on legitimate websites like Airbnb, HomeAway and VRBO. These scammers often offer attractive rental rates and photos of beautiful properties, but once you make a payment and show up, you find out that the property doesn’t exist, isn’t available for rent, or isn’t as described.

Juice Jacking

Public charging stations allow travelers to charge their devices. However, hackers can modify these charging stations to install malware onto connected devices, which can then steal personal data such as passwords, credit card numbers, and other sensitive information. In some cases, the malware can even lock the device and demand a ransom to release it.

Security Checklist for Traveling

Before you go
  • Travel lightly. Limit the number of devices you take with you on your trip. The more laptops, tablets and smartphones you take with you, the more risk you open yourself up to.
  • Check your settings. Check the privacy and security settings on web services and apps. Set limits on how and with whom you share information. You might want to change some features, like location tracking, when you are away from home.
  • Set up the “find my phone” feature. Not only will this feature allow you to locate your phone, it gives you the power to remotely wipe data or disable the device if it gets into the wrong hands.
  • Password protect your devices. Set your devices to require the use of a PIN, passcode or extra security feature (like a fingerprint or facial scan). This will keep your phone, tablet or laptop locked if it is misplaced or stolen.
  • Update your software. Before hitting the road, ensure all the security features and software is up-to-date on your devices. Keep them updated during your travels by turn on “automatic updates” on your devices if you’re prone to forgetting. Updates often include tweaks that protect you against the latest cybersecurity concerns.
  • Back up files. If you haven’t backed up the data on your devices, like photos, documents or other files, do so before heading on vacation. If your device is lost, stolen, broken or you otherwise lose access to it, you won’t lose all your data. You can back up your data on the cloud, on an external device like a hard drive or, preferably, both.
On the go
  • Actively manage location services. Location tools come in handy while navigating a new place, but they can also expose your location ‒ even through photos. Turn off location services when not in use, and consider limiting how you share your location on social media.
  • Use secure wi-fi. Do not transmit personal info or make purchases on unsecure or public Wi-Fi networks. Don’t access key accounts like email or banking on public Wi-Fi. Instead, use a virtual private network (VPN) or your phone as a personal hotspot to surf more securely.
  • Think before you post. Think twice before posting pictures that indicate you are away. Wait until you getting back to share your magical memories with the whole internet. You might not want everyone to know you aren’t at home.
  • Protect physical devices. Ensure your devices are always with you while traveling. If you are staying in a hotel, lock them in a safe if possible. If a safe is not available, lock them in your luggage. Don’t leave devices unattended or hand them over to strangers. Using your device at an airport or cafe? Don’t leave it unattended with a stranger while you go to the restroom or order another latte.
  • Stop auto-connecting. When away from home, disable remote connectivity and Bluetooth. Some devices will automatically seek and connect to available wireless networks. Bluetooth enables your device to connect wirelessly with other devices, such as headphones or automobile infotainment systems. Disable these features so that you only connect to wireless and Bluetooth networks when you want to. If you do not need them, switch them off. While out and about, these features can provide roving cybercriminals access to your devices.
  • If you share computers, don’t share information. Avoid public computers in hotel lobbies and internet cafes, especially for making online purchases or accessing your accounts. If you must use a public computer, keep your activities as generic and anonymous as possible. Avoid inputting credit card information or accessing financial accounts. If you do log into accounts, such as email, always click “logout” when you are finished. Simply closing the browser does not log you out of accounts.

More Resources

Information retrieved from the National Cybersecurity Association and the Cybercrime Support Network.

2023-08-01T11:31:17-04:00June 21, 2023|

Nick Biasini – Threat researcher at Cisco Talos and a veteran of the highest profile cyber incidents who roasts his own coffee beans

2023-06-20T08:45:37-04:00June 20, 2023|

HCC 2023 Cybersecurity Summer Camp

In collaboration with Florida Department of Education, the Florida Center for Cybersecurity (Cyber Florida), and the University of South Florida, Hillsborough Community College is running their first ever FREE Cybersecurity Summer Camp! This camp is being offered to all Hillsborough County High School students in grades 9th – 12th. Come join us for a summer of fun and learning!

Have fun and learn all about cybersecurity from the faculty and staff of HCC’s Computer Science Department. No previous knowledge is required, just come with a passion for learning and an interest in meeting and collaborating with like-minded peers. This camp will focus on topics such digital footprint and open-source intelligence, networking, digital forensics, and more.

Students who attend all scheduled meetings will take home their very own Raspberry Pi 4!

Learn more and register
2023-09-16T16:55:46-04:00June 13, 2023|

Tony Urbanovich

Anthony (Tony) Urbanovich is CEO of Cyber Insight and a Cyber Florida Senior Fellow. He is a senior strategy and technology executive with over 25 years’ experience in the commercial and government sectors. His broad experience includes enterprise cybersecurity program design and implementation (national, sector, and enterprise); governance, risk, and compliance (design, development, and implementation); cybersecurity operations (threat management, data protection, network security management, application security management, vulnerability and configuration management); and cybersecurity incident response (national, sector, and enterprise). He is a trusted advisor to senior executives and boards in the financial services, technology, and international sectors.

Mr. Urbanovich previously served as the Chief Technology Officer at the Florida Center for Cybersecurity (Cyber Florida), where he was responsible for the Center’s technology platforms encompassing the 12 institutions of higher learning comprising the State University System of Florida. As the Chief Operating Officer at CyberGRX, he co-developed a third-party risk assessment as a service platform. As Vice President of Security Assurance at American Express, he developed and implemented enterprise-wide information security risk reduction programs designed to prevent and reduce information security risk. As a Director / Principal on the Commercial Cyber Team at Booz Allen Hamilton, Mr. Urbanovich managed teams building and delivering capabilities for threat intelligence, cyber incident response, governance, risk, and compliance. As Vice President of Privacy, Ethics, and Compliance at ChoicePoint (now LexisNexis), he was hired to co-lead an organizational transformation for the data privacy, compliance, and auditing program following a major data breach.

Mr. Urbanovich is a veteran of the U.S. Air Force. He holds a B.A. from the University of Maryland University College as well as CISSP, CISM and CIPP/US certifications.  In addition, he is a CMMC – Registered Professional and is a member of the Tampa Bay Infragard and a member of the Private Directors Association.  (Visit CMMCAB.com to validate).

2023-06-05T17:54:34-04:00June 5, 2023|

Stacy Arruda

After retiring from the Federal Bureau of Investigations in 2018, Stacy founded the Arruda Group. She hopes to leverage her 22 years of experience to help businesses and organizations of all sizes protect themselves.

Stacy held a wide range of leadership roles during her tenure at the FBI. She is responsible for directing, drafting, and bolstering multiple cybersecurity and counterintelligence efforts. She has also led hundreds of trainings and presentations.

Whatever issue you are dealing with, Stacy has the experience and passion to help guide you. And this passion is paired with a desire to help businesses and organizations understand the value of proactive efforts in their journey to become security-conscious organizations.

2023-06-06T11:17:52-04:00June 5, 2023|

Dr. Nasir Ghani

Dr. Nasir Ghani is a Professor of Electrical Engineering and Program Director of the College of Engineering MS in Cybersecurity. He is also an Academic Director for Research at Cyber Florida, a state-funded center focusing on cybersecurity research, education, and outreach. Earlier, he was also the Associate Chair of the ECE Department at the University of New Mexico (UNM). He has also held various research and development positions at several large corporations (including Nokia, IBM, and Motorola) and some startups. His  research interests include cybersecurity, cyberinfrastructure design, disaster recovery, and online education. His research has been supported by the NSF, DoD, DoE, Qatar Foundation, and several state and industry partners. He also received the NSF CAREER Award in 2005.

Dr. Ghani has served as an Associate Editor for IEEE Communication Letters, IEEE Systems, and the IEEE/OSA Journal of Optical and Communications & Networking. In addition, he has guest-edited special issues of IEEE Network and IEEE Communications Magazine and chaired large symposia events for IEEE Globecom, IEEE ICC, IEEE ICCCN, and IEEE Infocom. He was also chair of the IEEE Technical Committee on High-Speed Networking (TCHSN) from 2007-2010. He received a B.Sc. from the University of Waterloo, an M.S. from McMaster University, and a Ph.D. from the University of Waterloo.

2023-06-05T17:29:10-04:00June 5, 2023|

Pam Lindemoen

Pam Lindemoen is a CISO Advisor in Cisco’s Security Organization. She is an Information Security executive leader with over 25 years of experience within the IT industry. Pam joined Cisco from Anthem, Inc. where she held the Deputy Chief Information Security Officer role. While at Anthem, she was considered a bold and strategic thinker who envisioned and delivered a world-class Enterprise Information Security strategy, including the Steering Committee with cross-functional business and technology membership. Pam was also a key advisor to the litigation process and full program development during and after an unprecedented cyber-attack. The foundation for her success was built upon her innate ability to foster business partnerships and support all stakeholder needs.

Prior to Anthem, Pam had significant success leading business development, software development, IT operations, program improvements, and direct sales. In her executive leadership positions, she has played pivotal roles in the development of innovative products and services for key accounts and developed IT solution strategies that led to multibillion-dollar contracts with global vendors and customers.

Not allowing her intrinsic drive and commitment to stop with success in running a business, Pam is dedicated to the encouragement of women in business and IT. Pam is the co-host of Cyber Florida’s Do We Belong Here podcast and serves on the boards of Tampa Bay Tech and the National Cybersecurity Alliance.

2023-06-05T17:17:58-04:00June 5, 2023|

Dr. Nathan Fisk

Dr. Nathan Fisk, PhD, is the Academic Director for Outreach at Cyber Florida and an Assistant Professor of Cybersecurity Education at the USF College of Education.

Dr. Fisk received his PhD from Rensselaer Polytechnic Institute. He is among the inaugural group of five Fulbright Cybersecurity Scholars, having been invited to the London School of Economics in Fall 2016 to research family discourses of youth privacy online. Currently, he is exploring social scientific approaches to producing and disseminating technical knowledge within informal cybersecurity community groups to develop innovative forms of cybersecurity education.

Dr. Fisk’s third book, “Framing Internet Safety,” was published by MIT Press in December 2016. Fisk currently serves on national working groups for the National Initiative for Cybersecurity Education (NICE) and the Higher Education Information Security Council (HEISC). Additionally, Dr. Fisk is a USF faculty affiliate with the Department of Women and Gender Studies and a research associate with the Florida Center for Instructional Technology (FCIT).

2023-06-05T17:19:42-04:00June 5, 2023|