Discovering the MOVEit Vulnerability with the CrowdStrike Falcon Platform
On June 15, 2023, Progress Software announced a critical vulnerability in the MOVEit file transfer software (CVE-2023-35708). This was the third vulnerability impacting the file transfer software (May 2023: CVE-2023-34362; June 9: CVE-2023-35036).
The vulnerabilities have been fixed, and all MOVEit Transfer customers are strongly urged to immediately apply all applicable patches. Details on the steps to take can be found here, noting “there are two paths to take depending on if you have applied the remediation and patching steps from the MOVEit Transfer Critical Vulnerability (May 2023) article prior to June 15.”
The Progress team continues to update and keep the community informed with transparency. You can follow the updates on the company’s Security Center blog here.
CrowdStrike incident responders recently outlined how organizations can determine whether data exfiltration has occurred in their MOVEit Transfer application and its potential impact. The blog also provides guidance for evidence preservation and service restoration in the event there is an exploit.
CrowdStrike customers can also follow the latest details in the Support Portal.
Note: Content from this post first appeared in r/CrowdStrike.
Falcon Spotlight: Automatically Identify Vulnerable Versions of MOVEit
CrowdStrike Falcon® Spotlight customers can automatically identify potentially vulnerable versions of MOVEit using the assigned CVE IDs CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708.
If you are not yet a customer, you can start a free trial of the Falcon Spotlight vulnerability management solution today.
Intelligence
CrowdStrike Falcon® Intelligence Premium subscribers can find more MOVEit-related Intelligence reports in their Falcon console: US-1 | US-2 | EU-1 | US-GOV-1
Detection
The CrowdStrike Falcon platform has detection logic for exploitation attempts against MOVEit. Because there is an element of remote code execution (RCE) involved in the variability of attack paths, patching should be considered the highest priority.
Hunting MOVEit with the CrowdStrike Falcon Platform
CrowdStrike Falcon® Insight XDR customers can use the following queries to look for the presence of MOVEit software.
Falcon LTR
event_platform=Win #event_simpleName=ProcessRollup2 ImageFileName=/moveit/i
| groupBy([aid], function=([selectFromMax(field="@timestamp", include=[ProcessStartTime, ImageFileName]), count(aid, as=executinoCount)]))
| ProcessStartTime := ProcessStartTime * 1000 | formatTime(format="%c", field=ProcessStartTime, as="ProcessStartTime")
Event Search
event_platform=Win event_simpleName=ProcessRollup2 "moveit"
| lookup local=true aid_master aid OUTPUT Version, AgentVersion, Timezone, MachineDomain, OU, SiteName
| stats earliest(ProcessStartTime_decimal) as firstSeen, latest(ProcessStartTime_decimal) as lastSeen, values(FileName) as filesRunning by aid, ComputerName, Version, AgentVersion, Timezone, MachineDomain, OU, SiteName
| convert ctime(firstSeen) ctime(lastSeen)
| sort 0 + ComputerName
The following queries can be used to look for unexpected script files being written to the wwwroot directory. In the first wave of exploitation, the webshells being dropped were named human2.aspx (VT sample). This file name would be trivial to change.
Falcon LTR
event_platform=Win #event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ TargetFilename=/moveit/i TargetFilename!=/\.tmp$/i
| TargetFilename=/\\wwwroot\\/i
| TargetFileName=/\\Device\\HarddiskVolume\d+(?<FilePath>.+\\)(?<FileName>\w+\.\w+)/i
| groupBy([FileName, FilePath], function=([count(aid, distinct=true, as=endpointCount), count(aid, as=writeCount), collect([aid, #event_simpleName])]))
Event Search
event_platform=Win event_simpleName IN (NewScriptWritten, WebScriptFileWritten) "moveit" FileName!="*.tmp"
| search FilePath="*\\wwwroot\\"
| rex field=TargetFileName "\\\Device\\\HarddiskVolume\d+(?<ShortFilePath>.*)"
| stats dc(aid) as endpointCount, count(aid) as writeCount, values(ComputerName) as endpointsWrittenTo, values(event_simpleName) as falconEvents by FileName, ShortFilePath
CrowdStrike Falcon Discover Customers
Falcon Discover customers can navigate to: Discover > Applications > Applications to search for the presence of MOVEit software on Falcon systems.
Additional Resources
- To request more information or speak with a CrowdStrike Services representative, complete and submit this form.
- Learn about the powerful, cloud-native CrowdStrike Falcon platform by visiting the product webpage.
- Get a full-featured free trial of CrowdStrike Falcon® Prevent to see for yourself how true next-gen AV performs against today’s most sophisticated threats.