On May 31, 2023, Progress Software released a security bulletin concerning a critical vulnerability within MOVEit Transfer, a widely used secure file transfer system. According to Shodan, over 2500 servers running this software are on the Internet.

TrustedSec has performed analysis on the vulnerability and post-exploitation activities. At the time of publication, there is no associated CVE or CVS score.

This post will describe the research conducted so far and provide detection, response, and protection recommendations. Additional information will be released as it is found.

Vulnerability

According to the MOVEit notification, a SQL injection (SQLi) vulnerability within the application could allow escalated privileges and unauthorized access to the environment. Based on TrustedSec’s analysis of the backdoor seen, a successful attack could allow unauthenticated remote access to any folder or file within a MOVEit system.

Progress has published mitigation steps as well as fixed versions of the software in their notice.

Exploit Activity

According to a Reddit thread on the vulnerability, one of the backdoors named in the attack is human2.aspx. According to our research, these backdoors have been uploaded to public sites since May 28, 2023, meaning the attackers likely took advantage of the Memorial Day holiday weekend to gain access to systems. There have also been reports of data exfiltration from affected victims.

TrustedSec was able to gain access to multiple copies of the human2.aspx backdoor and perform analysis. Most of the code within the backdoor samples is the same except for a unique hard-coded password. These hard-coded, randomly generated passwords used for compromises means searching purely for file hashes may be less fruitful.

Backdoor

The human2.aspx backdoor, which is allegedly uploaded during the attack, allows the attacker to do the following:

• Obtain a list of all folders, files, and users within MOVEit
• Download any file within MOVEit
• Insert an administrative backdoor user into MOVEit and give attackers an active session to allow credential bypass

Note that the backdoors examined do not yet return a list of user password hashes from MOVEit.

The human2.aspx backdoor functions as follows:

• When the page loads, a request header named X-siLock-Comment will be checked against a hard-coded password. If the password does not match, a 404 code is returned.
• The value of a request header named X-siLock-Step1 is then read in.
  • X-siLock-Step1 will contain a value of -1, -2, or null. A follow-on set of actions will occur depending on this value.
• If the X-siLock-Step1 value is -1:
  • The Azure Blog Storage Account, Blob Key, and Blob Container IDs are