Noname Public Service Announcement: Moveit attack involving API abuse

A recent onslaught of attacks targeting the MoveIT application have affected several US Government agencies including Department of Energy (DOE); the Oak Ridge National Laboratory (ORNL) and several State governments such as Minnesota, Missouri, and Illinois. Media coverage of the vulnerabilities (CVE-2023-34362, CVE-2023-35036, and most recently CVE-2023-35708) involving a SQL injection are front and center. However, let’s take a closer look at the second stage of the attack involving a “deserialization” abuse (Note, not exploit) of the MoveIT API (Application Programmable Interface).

What is Serialization/Deserialization?

Deserialization abuse refers to a security vulnerability that occurs when an application or system blindly trusts and processes serialized data without proper validation or sanitization. Serialization is the process of converting an [executable] object into a format that can be stored or transmitted, such as JSON or XML (or even binary), to APIs. Deserialization, on the other hand, involves taking this serialized data and reconstructing it into its original object form. An attacker can exploit deserialization vulnerabilities by submitting maliciously crafted serialized data that can lead to unauthorized remote code execution, data tampering, data exfiltration, or other malicious actions.

When deserialization abuse occurs over an API interface, the vulnerability arises from either a bug or the trust placed in the serialized data received from external sources. If an API interface blindly accepts and processes serialized data without proper validation, an attacker can take advantage of this trust by sending serialized data that can be executed on the remote host. The attacker could exploit weaknesses in the deserialization process to execute arbitrary code or gain unauthorized access to sensitive information. By leveraging this vulnerability, an attacker can potentially compromise the entire system or perform actions that were not intended or authorized by the API.

It is crucial for developers to implement strong input validation and sanitization techniques to prevent deserialization abuse over API interfaces and ensure the security of their applications. It is such an important aspect to consider so much so that programming documentation like Python’s highlights that you should be extra careful about who you let send serialized data into your applications.

Proof of Concept Code

At Noname, we take great pride in helping our clients understand the issues plaguing APIs and the attack surface that’s being exploited (or in this case, abused) by the adversary. To help bring awareness to the topic of deserialization, we’ve created a simple proof of concept code in python. You can use the code to demonstrate, test, and help with awareness around this type of abuse.

The POC code with instructions can be found here: https://github.com/nonamedaren/api_deserialization_abuse

Have fun, tweak the code, and see what commands you can send other than the default one, which retrieves the host users list in /etc/passwd.

How Can Noname Help?

The Noname API security platform can help with discovery of MoveIT APIs, unauthorized API admin access, command injection, and sensitive data exfiltration in these ways:

What is the process for getting started with Noname on this?

1. Start with a RECON report
   1. Let us find your MoveIT APIs that are exposed to the internet, and other related artifacts (e.g. OAS) that adversaries can use to plan their attacks.
2. Try out the Noname Platform
   1. Discovery
      1. Discover what MoveIT APIs are being used and whether admin APIs are in service and active.
      2. Classify (sensitive) data and automatically document what “good” looks like from legitimate traffic.
      3. Print a report of all APIs and data that was discovered
   2. Posture
      1. Evaluate configurations (and misconfigurations) of APIs and related infrastructure.
      2. Determine which APIs are not being protected by gateways/firewalls/etc.
      3. Discover credential issues (expired, malformed, etc.)
   3. Runtime
      1. Identify command injections, and the attacker details (admin creds, IP)
      2. Identify admin APIs that are all of a sudden sending sensitive data when none was sent before.
      3. Discover anomalous flows of excessive sensitive data flows.
3. Plan
   1. Work with Noname’s implementation team to architect a solution that will meet your enterprise-wide API security and governance needs
   2. Educate others within your organization through workshops, training (in-person and online).

References:

1. https://www.horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/
2. https://www.bleepingcomputer.com/news/security/exploit-released-for-moveit-rce-bug-used-in-data-theft-attacks/
3. https://securityboulevard.com/2023/06/what-you-need-to-know-about-the-moveit/
4. https://www.rapid7.com/blog/post/2023/06/14/etr-cve-2023-34362-moveit-vulnerability-timeline-of-events/