Since the end of May, several critical flaws have been discovered in Progress Software’s MOVEit Transfer managed file transfer application. The first flaw involves a SQL injection (SQLi) vulnerability that could potentially lead to privilege escalation and unauthorized system access. Depending on the specific database engine in use, such as MySQL, Microsoft SQL Server, or Azure SQL, an attacker may be able to gather information about the database’s structure and contents. Furthermore, they could execute SQL statements that have the capability to modify or delete elements within the database.
Microsoft has attributed the ongoing exploitation of this vulnerability to a threat actor known as Lace Tempest. Lace Tempest (also known as Storm-0950) is associated with ransomware groups like FIN11, TA505, and Evil Corp. They are also linked to the operation of the Cl0p extortion site. The attacker’s objective is data theft and subsequent extortion.
What is MOVEit?
The software encrypts files and utilizes the Secure File Transfer Protocol (SFTP) to transfer files and data between servers, systems, and applications within and across organizations. MOVEit integrates secure file transfer with reporting, workflow automation, and multi-layered security features.
The SQL injection vulnerability in the MOVEit software is exploitable in all versions prior to the following: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
The exploitation of CVE-2023-34362 via SQL Injection grants threat actors the ability to potentially elevate privileges, as well as access and download data from the database server.
Once exploited, Cl0p deploys a web shell named “LEMURLOOT,” utilizing filenames like “human2.aspx” or “_human2.aspx.” These filenames bear a resemblance to legitimate components of the MOVEit Transfer software, such as “human.aspx.”
LEMURLOOT is specifically designed to offer tailored functionality for systems running MOVEit Transfer software. It has the capability to generate commands for scanning files and folders, retrieving configuration information, and creating or deleting a user with a predefined name. Initial analysis indicates that the LEMURLOOT web shell is being used to steal data that was previously uploaded by users of individual MOVEit Transfer systems.
The scanning and exploitation leading to the deployment of LEMURLOOT were traced back to IP addresses within the range of 18.104.22.168/22. However, interaction with the web shell and data theft occurred from different systems. There have been multiple instances where this exploit has been employed to steal a significant volume of files.
To enhance the security of MOVEit Transfer servers and mitigate the risk of exploitation, Progress Software provides the following recommendations for administrators:
- Implement traffic whitelisting on ports 80 and 443 for the MOVEit Transfer server. By doing so, external access to the web user interface (UI) will be restricted, and certain MOVEit Automation tasks, APIs, and the Outlook MOVEit Transfer plugin will be rendered non-functional. However, you can still utilize the SFTP and FTP/S protocols for file transfers.
- Conduct an inspection of the “C:\MOVEit Transfer\wwwroot\” folder for any suspicious files, such as backups or unusually large file downloads. The presence of such files may indicate potential data theft.
It is strongly recommended that affected organizations perform a forensic analysis of their server to ensure it has not been compromised.
By applying these mitigations, you can reduce the impact of this threat on your MOVEit Transfer environment. Progress recommends that you apply these immediately.
- Disable all HTTP and HTTPS traffic to the MOVEit Transfer environment.
- Modify firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
- If you do not wish to apply the patch immediately, you can access MOVEit Transfer by using a remote desktop connection and accessing https://localhost. Proceed with the following steps, when you are ready.
- Review, delete, and reset any unauthorized files and user accounts, such as .cmd scripts and human2.aspx files.
- Apply the relevant patch (for the May 31 and June 9 vulnerabilities).
- Verify that all malicious files and user accounts have been deleted or reset.
- If you find any indicators of compromise (IoCs), reset the service account credentials again.
- Apply the latest vulnerability fixes (for the June 15 vulnerability).
- Re-enable all HTTP and HTTPS traffic to the MOVEit Transfer environment.
- Continuously monitor the network, endpoints, and logs for IoCs related to the current campaign.
- Bookmark and refer to the Progress Security Page, for the latest updates.
Since the disclosure of the initial vulnerability, two additional vulnerabilities have emerged. These vulnerabilities are identified as CVE-2023-35036 (reported on June 9, 2023) and CVE-2023-35708 (reported on June 15, 2023). Both of these vulnerabilities pertain to SQLis, which have the potential to enable unauthorized access to the database of MOVEit Transfer. Exploiting these vulnerabilities involves submitting a specifically crafted payload to a MOVEit Transfer application endpoint, which may result in the unauthorized modification and disclosure of the database content.
Vulnerable Versions for CVE-2023-35036:
The affected versions of MOVEit include those released prior to 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6) and 2023.0.2 (15.0.2).
Vulnerable Versions for CVE-2023-35708:
The affected versions of MOVEit include those released prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7) and 2023.0.3 (15.0.3).