The critical vulnerability in MOVEit Transfer that ransomware groups and other threat actors have been exploiting for a week now is not simply a SQL injection bug, but can also lead to remote code execution, researchers say.
The vulnerability (CVE-2023-34362) became public on May 31, but there is evidence that some attackers were scanning for it several months before that. Initial analyses found that the bug could allow an attacker to perform a SQL injection attack against a vulnerable instance, but further digging has shown that remote code execution is also a possibility.
“This means that any unauthenticated adversary could trigger an exploit that instantly deploys ransomware or performs any other malicious action. Malicious code would run under the MOVEit service account user moveitsvc, which is in the local administrators group. The attacker could disable antivirus protections, or achieve any other arbitrary code execution,” John Hammond, senior security researcher at Huntress, said.
“The behavior that the industry observed, adding a human2.aspx webshell, is not necessary for attackers to compromise the MOVEit Transfer software. It's "an option" that this specific threat chose to deploy for persistence, but the attack vector offers the ability to detonate ransomware right away. Some have already publicly reported to attackers pivoting to other file names.”
There are several threat actors trying to exploit this vulnerability, but the most prevalent and successful one so far is the cl0p ransomware group. The group has claimed responsibility for the exploitation that has happened thus far, and has posted a statement to that effect on its Tor leak site. Last week, Microsoft attributed the exploit activity their researchers had seen to a group they track as Lace Tempest, which overlaps with the cl0p group.
The vulnerability affects all versions of the MOVEit Transfer file transfer application, and the software’s maker, Progress, has released patched versions to address the bug. Organizations that have not been able to upgrade to the fixed version yet should disable all HTTP and HTTPS traffic to the MOVEit Transfer instance to mitigate the risk of attacks.
Data from GreyNoise, which tracks Internet scanning activity, shows several dozen IP addresses scanning for the MOVEit Transfer bug, many of them in the United States. In many cases, the attackers who exploit this flaw steal data from the compromised network in addition to possibly deploying ransomware. On Monday, Mandiant researchers said they have seen a group they track as UNC4857 exploiting the bug to install a webshell called LEMURLOOT and exfiltrate data from companies in the U.S., Canada, and elsewhere.
“LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings, suggesting that actors exploiting this vulnerability may be stealing files from Azure in cases where victims are storing appliance data in Azure Blob storage, although it is unclear if theft is limited to data stored in this way,” the Mandiant researchers said.
Other research teams also have observed attackers dropping webshells on compromised web servers running vulnerable MOVEit Transfer instances.
CC By 2.0 license photo by Kenjoey.