MOVEit Transfer is a managed file transfer (MFT) application designed to facilitate secure collaboration and automate the transfer of sensitive data. 

A SQL injection vulnerability has been identified in the MOVEit Transfer web application, present in versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). This vulnerability poses a significant security risk. When exploited the initial vulnerability (CVE-2023-34362) injects a web shell into the MOVEit Transfer server, allowing malicious actors to perform various actions such as enumerating files and directories, accessing configuration details, downloading files, and managing MOVEit server user accounts. This breach also posed a risk of unauthorized access to Azure system settings, associated keys, and containers.

Unit 42's investigation identified the earliest signs of compromise on May 27, with the tactics, techniques, and procedures (TTPs) employed aligning closely with those documented by other organizations in their initial reports. Shodan data reveals the presence of more than 2500 servers running this particular software on the Internet.

This post will detail our research findings thus far and offer recommendations for detection, response, and protection measures. Please refer to the changelog provided at the end of this post for any recently updated information.

Mid January 2023

• Mandiant observed an initial attempt to exploit CVE-2023-34362. 

May 27 

• Unit 42, during its investigations in incident response engagements, noted this date presenting the first signs of compromise. The exploitation occurred on this date, leading to the deployment of web shells and data theft. 

• Mandiant observed the exploitation of the zero-day vulnerability CVE-2023-34362 in MOVEit Transfer software resulting in the deployment of web shells and data theft. 

May 28, 2023 

• Samples of the LEMURLOOT web shell with filenames like "human2.aspx" are first uploaded to VirusTotal.

May 31 2023

• Progress Software posted a notification alerting customers to a critical Structured Query Language injection (SQLi) vulnerability (CVE-2023-34362) in their MOVEit Transfer product. 

• Progress Software Corporation announces the zero-day vulnerability exploited in MOVEit Transfer software.

5 June 2023

• Huntress fully reconstructed the attack chain involving the exploitation of MOVEit Transfer software, and as far as our knowledge goes, no one else has publicly accomplished this. Below is a video demonstration illustrating how we exploited it to gain shell access with Meterpreter, escalate to NT AUTHORITY\SYSTEM, and deploy a cl0p ransomware payload. 

June 6, 2023

• a post on the CL0P^_-LEAKS data leak site (DLS) claimed responsibility for the campaign and issued threats to release stolen data if extortion fees were not paid. UNC4857 was initially associated with this activity. 

• Also, Mandiant merged UNC4857 into FIN11 based on shared targeting, infrastructure, certificates, and overlaps in data leak sites (DLS). This blog post has been updated to reflect the new attribution and supporting evidence. 

moveitisapi.dll is used to perform SQL injection when requested with specific headers

guestaccess.aspx is used to prepare a session and extract CSRF tokens and other field values to perform further actions. 

 human2.aspx  the web shell named LEMURLOOT, which demands a password for access. It utilizes a GET request for connection. LEMURLOOT is coded in C# and is specifically crafted to exploit the MOVEit Transfer platform. This web shell verifies incoming HTTP requests through a predefined password and can execute commands to download files from the MOVEit Transfer system, extract Azure system settings, fetch comprehensive record data, as well as create, insert, or delete specific user accounts. When providing a response, this web shell returns data in a compressed format using gzip.

WEBSHELL 
Initial Access

• T1068: Exploitation for Privilege Escalation

Persistence

• T1136: Create Account

• T1505.003: Server Software Component: Web Shell

Command and Control

• T1071.001: Application Layer Protocol: Web Protocols

Exfiltration

• T1041: Exfiltration over C2 Channel

Defense Evasion

• T1036.005: Masquerading: Match Legitimate Name or Location

• Block all incoming HTTP and HTTPS traffic to your MOVEit Transfer system.

• Remove unapproved files and user accounts.

• Reset the credentials for service accounts.

• Apply the necessary software patch.

• Revise remote access policies.

• Permit incoming connections solely from trusted sources.

• Activate multi-factor authentication.

• Eliminate any unauthorized user accounts.

• Revise network firewall regulations.

Using the Registry

• Find the root directory for MOVEit

HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->WebBaseDir

• Find your log files for MOVEit 

HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock->LogsBaseDir

• Find MySQL configuration
  HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock\MySQL  
  
  

• Find MSSQL or Azure SQL Configuration
  HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock\SQLServer 

• Search for any unauthorized user accounts from the Users page

• Search for a second App_web...dll

Github: Yara Rule by Anthony Smith

https://unit42.paloaltonetworks.com/threat-brief-moveit-cve-2023-34362/
https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response
https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft

https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

https://www.reddit.com/r/sysadmin/comments/13wxuej/critical_vulnerability_moveit_file_transfer/

https://nvd.nist.gov/vuln/detail/CVE-2023-34362
https://blog.assetnote.io/2023/06/13/moveit-transfer-part-two/