Headline
Active exploitation of the MOVEit Transfer vulnerability — CVE-2023-34362 — by Clop ransomware group
The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.
Friday, June 16, 2023 14:06
- Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
- Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads.
- The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attributed these attacks to the same group, according to public reporting.
- Two more vulnerabilities have since been found in MOVEit Transfer solutions, CVE-2023-35036 and CVE-2023-35708, although at this time, they are reportedly not being actively exploited.
CVE-2023-34362 details and ongoing exploitation
On May 31, the Progress Software Corporation released a security advisory warning customers of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability, CVE-2023-34362, has been actively exploited since May 27, but the threat actors may have begun experimenting to compromise it as early as 2021.
As of late May, there were approximately 2,500 exposed MOVEit instances primarily located in the U.S., according to public reporting, highlighting its prevalence in enterprise environments.
Vulnerability details
The MOVEit Transfer vulnerability, CVE-2023-34362, covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. The first part of the exploit chain uses SQL injection to obtain a sysadmin API token. That token can then be used to call a deserialization function that does not properly validate input, allowing for remote code execution.
A second vulnerability, CVE-2023-35036, was assigned and Progress Software released patches and an advisory addressing this issue. Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.
On June 15, 2023, another vulnerability was identified, CVE-2023-35708. Progress Software is in the process of releasing installable patches for this issue although DLL drop-ins.
Ongoing exploitation
The Clop ransomware group released a public statement on their Tor data leak site on June 5, claiming responsibility for the attacks and threatening to publish victims’ data if the extortion demand is not paid. The group provided a deadline of June 14 for victims to initiate contact or else their company name would be posted on the data leak site as a warning. At this time, no data has been published but they have begun publicly naming and shaming affected companies.
In this activity, the Clop ransomware group exploited CVE-2023-34362 to install a previously unknown web shell now dubbed “LemurLoot”.
Written in C#, LemurLoot is designed to exfiltrate data and execute on systems running MOVEit Transfer. The web shell is deployed with a hardcoded, 36-character GUID-formatted value used to authenticate incoming connection requests from the threat actor. The authentication code value must be present in the “X-siLock-Comment” header field without which an HTTP 404 error code will be returned to the operator. If the value is correct, the web shell confirms it can accept taskings and connects to an attacker-controlled SQL server.
LemurLoot uses the header field “X-siLock-Step1’ to receive the commands from the operator. There are two well-defined commands: -1 and -2. The fields “X-siLock-Step2’ and “X-siLock-Step3” are used to hold parameters to be used when no command has been defined.
Command “-1”: LemurLoot retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files.
Command “-2”: LemureLoot deletes a user account with the LoginName and RealName set to "Health Check Service".
For any other values of “X-siLock-Step1,” the web shell will open a file specified by the folder and file name in “X-siLock-Step2”, and “X-siLock-Step3” respectively and retrieve it for the operator.
If no values of “X-siLock-Step2” and “X-siLock-Step3” are specified, then the web shell creates the “Health Check Service” admin user and creates an active session.
**Recommendations
**
Progress Software Corporation offers several mitigations for safeguarding against potential exploitation of this vulnerability and best practices for network security:
- Please refer to the advisories for CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 to apply corresponding patches.
- Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
- Delete unauthorized files and user accounts and reset service account credentials.
- Continuously monitor networks for early detection in the event of a compromise.
- Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
- Update remote access policies to only allow inbound connections from known and trusted IP addresses, and use certificate-based access control.
- Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user’s account password is lost, stolen, or compromised.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco Talos is releasing the following Snort SIDs to protect against this threat:
- 61876 - 61879
- 61936
- 300582, 300583
The following ClamAV signatures have been released to detect malware artifacts related to this threat:
- Win.Ransomware.Clop-6881304-0
- Win.Ransomware.Clop-6887770-0
IOCs
****Webshell (LemurLoot)
702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e
Related news
While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.
Gotham Orbital-Simulator service prior to 0.692.0 was found to be vulnerable to a Path traversal issue allowing an unauthenticated user to read arbitrary files on the file system.
In Apollo change requests, comments added by users could contain a javascript URI link that when rendered will result in an XSS that require user interaction.
The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE).
Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.
Categories: Threat Intelligence Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. (Read more...) The post Ransomware review: July 2023 appeared first on Malwarebytes Labs.
A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.
A security defect was discovered in Foundry Frontend which enabled users to perform Stored XSS attacks in Slate if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.229.0. The service was rolled out to all affected Foundry instances. No further intervention is required.
Users need to patch the latest SQL injection vulnerability as soon as possible. Meanwhile, Cl0p's data extortion rampage gallops on.
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities. The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized
A security defect was identified in Foundry workspace-server that enabled a user to bypass an authorization check and view settings related to 'Developer Mode'. This enabled users with insufficient privilege the ability to view and interact with Developer Mode settings in a limited capacity. A fix was deployed with workspace-server 7.7.0.
This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.
These clinics offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.
The announcement was posted on Twitter via the Rewards for Justice Twitter account, alongside encrypted messaging system options for anyone to get into contact should they have viable information.
MOVEit has created a patch to fix the issue and urges customers to take action to protect their environments, as Cl0p attacks continue to mount, including on government targets.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: Moveit Tags: CVE-2023-34362 Tags: CVE-2023-35036 Tags: Cl0p Progress has released an advisory about yet another MOVEit Transfer vulnerability while new victims of the first one keep emerging. (Read more...) The post MOVEit discloses THIRD critical vulnerability appeared first on Malwarebytes Labs.
Progress MOVEit Transfer has a privilege escalation vulnerability that can be addressed with DLL drop-in version 2023.0.3 (15.0.3) and other specific fixed versions (stated below). The availability date of fixed versions of the DLL drop-in is earlier than the availability date of fixed versions of the full installer. The specific weakness and impact details will be mentioned in a later update to this CVE Record. These are fixed versions of the DLL drop-in: 2020.1.10 (12.1.10), 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3).
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The
The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.
By Waqas Ofcom, the UK communications regulator, is the latest victim of the infamous Cl0p extortion gang, who have been exploiting MOVEit vulnerabilities to target high-profile firms. This is a post from HackRead.com Read the original post: UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database. An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: MOVEit Tags: Progress Tags: Cl0p Tags: ransomware Tags: CVE-2023-34362 A security audit of the MOVEit code has revealed more SQL injection vulnerabilities, while victims of the first vulnerability are coming to the surface. (Read more...) The post More MOVEit vulnerabilities found while the first one still resonates appeared first on Malwarebytes Labs.
Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain
YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: MOVEit Tags: Transfer Tags: CVE-2023-34362 Tags: BBC Tags: Zellis Tags: BA The first victims of the ongoing attacks on vulnerable MOVEit Transfer instances are coming forward. The Cl0p ransomware gang claims it is behind the attacks. (Read more...) The post Cl0p ransomware gang claims first victims of the MOVEit vulnerability appeared first on Malwarebytes Labs.
Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest. "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today. "CVE-2023-34362 allows attackers to
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.