MOVEit, a managed file transfer software product developed by Progress Software, employs Secure File Transfer Protocol (SFTP) to securely transfer and encrypt data at rest. The software has been popular with the healthcare industry as well as financial services and government sectors, but on May 31st, 2023, Progress Software disclosed a critical vulnerability: CVE-2023-34362.

Upon successful exploitation of this vulnerability, an attacker could gain sufficient access to install a web shell inside the MOVEit application. This would allow the bad actor full access to read, write and delete contents of the various databases it utilizes, such as MySQL, Microsoft SQL Server, and Azure SQL. Multiple vendors have published details about the attack vector, revealing a consistent pattern of attempting to infiltrate the vulnerable system via SQL injection to implant the web shell.

Read on to discover three ways Riverbed can help safeguard your organization from potential breaches.

1. Uncover historical activity

If you have unknowingly been scanned or implanted with this web shell, it is important to note that these attackers have been known to use a range of IP addresses. This range is released with the CVE Indicators of Notice. Thanks to Riverbed NetProfiler‘s high-resolution, raw-flow retention that comfortably goes back multiple years, the search through history to investigate any traces of offending IP addresses is made simple.

Simply copy and paste these IPs, set your desired time range, and then see whether there has been any activity from these IP addresses in the past.

NetProfiler then provides detailed, highly-customizable interactive reports, such as report shown below, on the various TCP or UDP communication these IPs have been engaging. In easy to understand tables, it provides port number and traffic volumes.

2. Visualize relationships between IP addresses

Visualizing the relationships of IP end points will usually bring out hidden trends and patterns in the attack vector that may not be as easily apparent in reading reports and tables. NetProfiler provides dynamically-generated, interactive visualizations of the TCP/UDP communication with the attacker’s IPs.

3. Track attack signatures from packets

Most attacks exhibit distinct patterns that can be captured through network activity analysis. In this case, the Indicators of Compromise (IOC) are specific HTTP headers present in the attacker’s requests:

• X-siLock-Comment
• X-siLock-Step1
• X-siLock-Step2
• X-siLock-Step3

Configuring the below definition for “Web Application” within Riverbed AppResponse ensures that even a single packet detected in the full bandwidth of data being analyzed by the appliance will trigger an event. Packets can be reviewed, and metrics for that TCP and HTTP exchange will be logged.

Once the definition is in place, you can observe detailed packet-based metrics and access the actual packets through right-click functionality.

Here are some of the typical alerts that AppResponse offers, with numerous other categories available:

Summary

In this blog, we explored how attack vectors follows common patterns to scan for vulnerabilities and how packet and flow-based monitoring tools can be used to analyze past incidents and detect ongoing scans and threats. To learn more about how Riverbed Observability tools can help you protect against malicious actors, please reach out to our experts here.