• Cisco Talos is monitoring recent reports of exploitation attempts against CVE-2023-34362, a SQL injection zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) solution that has been actively targeted since late May 2023.
  • Successful exploitation could lead to remote code execution (RCE), allowing unauthenticated adversaries to execute arbitrary code to support malicious activity, such as disabling anti-virus solutions (AV) or deploying malware payloads.
  • The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot, to exfiltrate victims’ data and extort payments, and Microsoft has attributed these attacks to the same group, according to public reporting.
  • Two more vulnerabilities have since been found in MOVEit Transfer solutions, CVE-2023-35036 and CVE-2023-35708, although at this time, they are reportedly not being actively exploited.

CVE-2023-34362 details and ongoing exploitation

On May 31, the Progress Software Corporation released a security advisory warning customers of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability, CVE-2023-34362, has been actively exploited since May 27, but the threat actors may have begun experimenting to compromise it as early as 2021.

As of late May, there were approximately 2,500 exposed MOVEit instances primarily located in the U.S., according to public reporting, highlighting its prevalence in enterprise environments.

Vulnerability details

The MOVEit Transfer vulnerability, CVE-2023-34362, covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. The first part of the exploit chain uses SQL injection to obtain a sysadmin API token. That token can then be used to call a deserialization function that does not properly validate input, allowing for remote code execution.

A second vulnerability, CVE-2023-35036, was assigned and Progress Software released patches and an advisory addressing this issue. Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.

On June 15, 2023, another vulnerability was identified, CVE-2023-35708. Progress Software is in the process of releasing installable patches for this issue although DLL drop-ins.

Ongoing exploitation

The Clop ransomware group released a public statement on their Tor data leak site on June 5, claiming responsibility for the attacks and threatening to publish victims’ data if the extortion demand is not paid. The group provided a deadline of June 14 for victims to initiate contact or else their company name would be posted on the data leak site as a warning. At this time, no data has been published but they have begun publicly naming and shaming affected companies.


In this activity, the Clop ransomware group exploited CVE-2023-34362 to install a previously unknown web shell now dubbed “LemurLoot”.

Written in C#, LemurLoot is designed to exfiltrate data and execute on systems running MOVEit Transfer. The web shell is deployed with a hardcoded, 36-character GUID-formatted value used to authenticate incoming connection requests from the threat actor. The authentication code value must be present in the “X-siLock-Comment” header field without which an HTTP 404 error code will be returned to the operator. If the value is correct, the web shell confirms it can accept taskings and connects to an attacker-controlled SQL server.

LemurLoot uses the header field “X-siLock-Step1’ to receive the commands from the operator. There are two well-defined commands: -1 and -2. The fields “X-siLock-Step2’ and  “X-siLock-Step3” are used to hold parameters to be used when no command has been defined.

Command “-1”: LemurLoot retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files.

Command “-2”: LemureLoot deletes a user account with the LoginName and RealName set to "Health Check Service".

For any other values of “X-siLock-Step1,” the web shell will open a file specified by the folder and file name in “X-siLock-Step2”, and “X-siLock-Step3” respectively and retrieve it for the operator.

If no values of “X-siLock-Step2” and “X-siLock-Step3” are specified, then the web shell creates the “Health Check Service” admin user and creates an active session.

Recommendations

Progress Software Corporation offers several mitigations for safeguarding against potential exploitation of this vulnerability and best practices for network security:

  • Please refer to the advisories for CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708 to apply corresponding patches.
  • Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
  • Delete unauthorized files and user accounts and reset service account credentials.
  • Continuously monitor networks for early detection in the event of a compromise.
  • Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known trusted IP addresses.
  • Update remote access policies to only allow inbound connections from known and trusted IP addresses, and use certificate-based access control.
  • Enable multi-factor authentication. Multi-factor authentication (MFA) protects MOVEit Transfer accounts from unverified users when a user's account password is lost, stolen, or compromised.

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Cisco Talos is releasing the following Snort SIDs to protect against this threat:

Snort 2:

  • 61876 - 61879
  • 61936

Snort 3:

  • 61936
  • 300582, 300583

The following ClamAV signatures have been released to detect malware artifacts related to this threat:

  • Win.Ransomware.Clop-6881304-0
  • Win.Ransomware.Clop-6887770-0

IOCs

Webshell (LemurLoot)

702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e