Zero Day SQL Injection Attack Targeting MOVEit Transfer Vulnerability

A zero-day vulnerability in MOVEit Transfer file-transfer software has been spotted in recent attacks stealing data from organizations; the flaw, known as CVE-2023-34362, enables cybercriminals to read, alter, and delete database elements relating to the environment. The threat actors deploy customized web shells to steal Azure Blob Storage container credentials and other data. Over 2,500 exposed instances in the US are allowing attackers into organizations’ systems. Rapid7 has emphasized that patching will not be sufficient once threats to the environment have been identified, advising businesses to follow mitigation steps to prevent further malicious activity.

The MOVEit Transfer vulnerability (CVE-2023-34362) was first discovered in late May 2023, and since then, threat actors have been exploiting the critical flaw to perform mass data downloads from various organizations. It is believed that the Clop ransomware operation is behind the attacks.

Revision History

Microsoft has attributed the attacks to “Lace Tempest,” an alias of the Clop ransomware gang. This group previously targeted managed file transfer software, including zero-day exploits of GoAnywhere MFT in January 2023 and Accellion FTA servers in 2020.

To mitigate this threat, Progress, the developer of MOVEit Transfer, has recommended the following:

Suspend all HTTP and HTTPs traffic to your MOVEit Transfer setup

• Ensure to change your firewall rules to block HTTP and HTTPs traffic to MOVEit Transfer via ports 80 and 443 until you’ve installed the patch.

Be aware that until HTTP and HTTPS traffic is restored: 

• Users cannot access the MOVEit Transfer web UI
• MOVEit Automation tasks using the native MOVEit Transfer host will be inactive 
• REST, Java, and .NET APIs will be non-operational 
• The MOVEit Transfer add-on for Outlook will not function
• SFTP and FTP/s protocols will remain functional, and administrators will retain MOVEit Transfer access via remote desktop to the Windows machine, through accessing https://localhost/. For further guidance on localhost connections, refer to the MOVEit Transfer Help guide.

Review, Delete, and Reset

a. Delete Unauthorized Files and User Accounts 

• Eliminate instances of the human2.aspx and .cmdline script files. 
• Check for any newly created files in the C:\MOVEitTransfer\wwwroot\ directory on the MOVEit Transfer server. 
• Inspect for fresh files in the C:\Windows\TEMP[random]\ directory with a [.]cmdline file extension on the MOVEit Transfer server. 
• Get rid of any unauthorized user accounts. Read the Progress MOVEit Users Documentation for additional guidance. 
• Scrutinize logs for unexpected file downloads from unknown IPs or voluminous file downloads. For further information on analyzing logs, please see the MOVEit Transfer Logs guide.
• Examine IIS logs for any events comprising GET /human2.aspx. A significant number of log entries or entries with considerable data sizes may signify unforeseen file downloads. 
• If applicable, review Azure logs for unauthorized access to Azure Blob Storage Keys and mull over rotating any possibly affected keys. 

b. Reset Credentials 

• Reset service account credentials for impacted systems and the MOVEit Service Account. See KB 000115941 for more details.

Apply the Patch

Below are the patches that Progress released for Supported MOVEit Transfer versions. To learn if your version is supported, see a list of product lifecycles here.

To verify the integrity of your system, repeat the process of deleting unauthorized files and user accounts. Reset the service account credentials if any signs of compromise are found. Additionally, enable both HTTP and HTTPS traffic for your MOVEit Transfer environment. Lastly, implement continuous monitoring by keeping a close watch on network activity, endpoints, and logs for any Indicators of Compromise (IoCs).

While blocking ports and applying patches can help protect against future exploitation, it’s crucial to thoroughly investigate compromised environments for any existing indicators of compromise (IoCs) before using the fixes.

Organizations impacted by the attacks should expect extortion and potential publication of stolen data. The Clop ransomware gang generally waits a few weeks before emailing company executives with their demands, and if their demands are ignored, they threaten to sell the information on the black market.

In light of the ongoing threats, organizations need to be proactive in safeguarding their data by taking a few additional preventive measures:

1. Regularly update software and systems to ensure all security patches are applied, thus minimizing the attack surface that hackers can exploit.
2. Implement strong access controls, such as multi-factor authentication, to reduce the risk of unauthorized access to sensitive data and systems.
3. Monitor and analyze log files for any unusual activity and detect indicators of compromise (IoCs) in the environment.
4. Train employees and IT staff on recognizing and responding to potential cyber threats, including phishing emails, suspicious activity, and unauthorized access.
5. Establish and maintain a strong cybersecurity posture by investing in advanced tools like intrusion detection and prevention systems to protect your network from known and emerging threats.
6. Develop an incident response plan that outlines the steps to be taken in the event of a security breach, including immediate containment, thorough investigation, communication with stakeholders, and recovery efforts.

Furthermore, it would benefit organizations to stay informed about the evolving cybersecurity threat landscape and collaborate with authorities and other stakeholders to share information and best practices. This will help businesses to remain proactive and better prepare for any potential attacks, ensuring the safety and security of their valuable data and infrastructure.

By adopting these measures and maintaining vigilance, organizations can significantly reduce the risks associated with the MOVEit Transfer vulnerability and protect their critical assets from potential cyber-attacks.