Extortion actors have been actively exploiting a recently patched vulnerability in MOVEit Transfer, a file-transfer application that is widely used to transmit information between organizations. The nature of the software affected means that attackers can exploit unpatched systems to mount a supply chain attack against multiple organizations. While the original vulnerability (CVE-2023-34362) was patched on May 31, MOVEit Transfer’s developers announced on Friday (June 9) that multiple additional vulnerabilities (CVEs pending) have also been identified and patched.
Prior to its patching, attackers linked to the Clop ransomware operation were already exploiting CVE-2023-34362 as a zero-day vulnerability. Proof-of-concept code for the exploit is now publicly available, meaning other attackers are now likely to attempt to exploit unpatched systems.
What is MOVEit Transfer?
MOVEit Transfer is a managed file-transfer application developed by Progress Software. It is designed to permit secure transfer of files between businesses and their customers.
What is the nature of the vulnerability?
The original vulnerability (CVE-2023-34362) occurs in the MOVEit Transfer web application. It affected all versions prior to 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). “[An] attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” Progress said.
For how long was the vulnerability being exploited before it was patched?
According to a U.S. government advisory, active exploitation appears to have begun on May 27, 2023.
How has the vulnerability been exploited to date?
The vulnerability is being actively exploited by the Clop ransomware operation. According to a joint advisory issued by the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), the attackers exploited the vulnerability to install a web shell called Lemurloot (JS.Malscript!g1) on affected systems. This was then used to steal data from underlying databases.
Lemurloot was designed specifically to target the MOVEit Transfer platform. It authenticates incoming HTTPS requests via a hard-coded password; runs commands that will download files from the MOVEit Transfer database; extracts its Azure system settings; retrieves records; and can create, insert, or delete a particular user. When responding to a request, Lemurloot returns stolen data in a comfile format.
Shortly after the disclosure of the vulnerability, attackers linked to the Clop ransomware operation claimed responsibility for the attack and said that they had stolen data from multiple MOVEit users and their customers. It threatened to release the stolen data unless a ransom is paid.
What is known about Clop?
Clop is an extortion and ransomware operation run by a cyber-crime group known as Snakefly (aka TA505, FIN11). While the group initially extorted victims by encrypting files using its own ransomware payload (Ransom.Clop), in recent times it has been known to eschew encryption entirely and rely on the threat of leaking stolen data to extort its victims.
The group has a track record in exploiting zero-day vulnerabilities. In 2021, it was linked to the exploitation of multiple vulnerabilities in Accellion FTA, another file-transfer application. Earlier this year it was responsible for exploiting a zero-day vulnerability (CVE-2023-0669) in the GoAnywhere MFT platform.
How do Symantec products guard against exploitation of this vulnerability?
Symantec products will guard against exploit attempts and payloads with the following detections:
- Trojan Horse
- Attack: MOVEit Transfer RCE CVE-2023-34362
Data Center Security (DCS) default hardening policies such as sym_win_hardened_sbp provide 0-day protection for CVE-2023-34362. DCS policy control "Software Install Restrictions" for MS SQL, MS IIS and other hardened application sandboxes stop Clop ransomware from exploiting this vulnerability by preventing arbitrary deployment of webshells and unauthorized software.
Observed domains/IPs are covered under security categories.
For the latest protection updates, please visit the Symantec Protection Bulletin.
We encourage you to share your thoughts on your favorite social platform.