Discovering the MOVEit Vulnerability with the CrowdStrike Falcon Platform

On June 15, 2023, Progress Software announced a critical vulnerability in the MOVEit file transfer software (CVE-2023-35708). This was the third vulnerability impacting the file transfer software (May 2023: CVE-2023-34362; June 9: CVE-2023-35036).

The vulnerabilities have been fixed, and all MOVEit Transfer customers are strongly urged to immediately apply all applicable patches. Details on the steps to take can be found here, noting “there are two paths to take depending on if you have applied the remediation and patching steps from the  MOVEit Transfer Critical Vulnerability (May 2023)  article prior to June 15.”

The Progress team continues to update and keep the community informed with transparency. You can follow the updates on the company’s Security Center blog here.

CrowdStrike incident responders recently outlined how organizations can determine whether data exfiltration has occurred in their MOVEit Transfer application and its potential impact. The blog also provides guidance for evidence preservation and service restoration in the event there is an exploit.

CrowdStrike customers can also follow the latest details in the Support Portal. Note: Content from this post first appeared in r/CrowdStrike.

Falcon Spotlight: Automatically Identify Vulnerable Versions of MOVEit

CrowdStrike Falcon® Spotlight customers can automatically identify potentially vulnerable versions of MOVEit using the assigned CVE IDs CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708.

Figure 1. Falcon Spotlight generates detections for CVE-2023-35036 (click to enlarge)

If you are not yet a customer, you can start a free trial of the Falcon Spotlight vulnerability management solution today.

Intelligence

CrowdStrike Falcon® Intelligence Premium subscribers can find more MOVEit-related Intelligence reports in their Falcon console: US-1 | US-2 | EU-1 | US-GOV-1

Detection

The CrowdStrike Falcon platform has detection logic for exploitation attempts against MOVEit. Because there is an element of remote code execution (RCE) involved in the variability of attack paths, patching should be considered the highest priority.

Hunting MOVEit with the CrowdStrike Falcon Platform

CrowdStrike Falcon® Insight XDR customers can use the following queries to look for the presence of MOVEit software.

Falcon LTR

event_platform=Win #event_simpleName=ProcessRollup2 ImageFileName=/moveit/i
| groupBy([aid], function=([selectFromMax(field="@timestamp", include=[ProcessStartTime, ImageFileName]), count(aid, as=executinoCount)]))
| ProcessStartTime := ProcessStartTime * 1000 | formatTime(format="%c", field=ProcessStartTime, as="ProcessStartTime")

Event Search

event_platform=Win event_simpleName=ProcessRollup2 "moveit"
| lookup local=true aid_master aid OUTPUT Version, AgentVersion, Timezone, MachineDomain, OU, SiteName
| stats earliest(ProcessStartTime_decimal) as firstSeen, latest(ProcessStartTime_decimal) as lastSeen, values(FileName) as filesRunning by aid, ComputerName, Version, AgentVersion, Timezone, MachineDomain, OU, SiteName
| convert ctime(firstSeen) ctime(lastSeen)
| sort 0 + ComputerName

The following queries can be used to look for unexpected script files being written to the wwwroot directory. In the first wave of exploitation, the webshells being dropped were named human2.aspx (VT sample). This file name would be trivial to change.

Falcon LTR

event_platform=Win #event_simpleName=/^(NewScriptWritten|WebScriptFileWritten)$/ TargetFilename=/moveit/i TargetFilename!=/\.tmp$/i
| TargetFilename=/\\wwwroot\\/i 
| TargetFileName=/\\Device\\HarddiskVolume\d+(?.+\\)(?\w+\.\w+)/i
| groupBy([FileName, FilePath], function=([count(aid, distinct=true, as=endpointCount), count(aid, as=writeCount), collect([aid, #event_simpleName])]))

Event Search

event_platform=Win event_simpleName IN (NewScriptWritten, WebScriptFileWritten) "moveit" FileName!="*.tmp"
|  search FilePath="*\\wwwroot\\"
| rex field=TargetFileName "\\\Device\\\HarddiskVolume\d+(?.*)"
| stats dc(aid) as endpointCount, count(aid) as writeCount, values(ComputerName) as endpointsWrittenTo, values(event_simpleName) as falconEvents by FileName, ShortFilePath

CrowdStrike Falcon Discover Customers

Falcon Discover customers can navigate to: Discover > Applications > Applications to search for the presence of MOVEit software on Falcon systems.

Additional Resources

Breaches Stop Here