ABOUT i3 CONTACT i3

i³ Threat Advisory: MOVEit - CVE-2023-34362

Release Date: May 2023
Last Updated: January 2024

ACT NOW TO MITIGATE RISK

  1. Monitor and reduce, where possible, the use of remote access tools.
  2. Implement application controls to manage and control execution of software, including allow listing remote access programs.
  3. Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services.
  4. Disable command-line and scripting activities and permissions.
  5. Restrict the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis.
  6. Update PowerShell or PowerShell Core to the latest version and disable older versions.
  7. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  8. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  9. Reduce the threat of credential compromise by:
    • Placing domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
    • Refraining from storing plaintext credentials in scripts.
  10. Implement time-based access for accounts set at the admin level and higher.

INTRODUCTION

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Cybersecurity Threat Advisory related to the ongoing exploitation of a vulnerability found within Progress Software’s manager file transfer solution known as MOVEit Transfer (herby referred to as MOVEit). MOVEit is used to manage an organization’s file transfer operations and has a web application that supports MySQL, Microsoft SQL Server, and Azure SQL database engines.

In May 2023, the CL0P ransomware group exploited a SQL injection zero-day vulnerability CVE-2023-34362 to install a web shell named LEMURLOOT on MOVEit web applications [T1190] [1]. The web shell was initially observed with the name human2.aspx in an effort to masquerade as the legitimate human.aspx file present as part of MOVEit software. DTEX advises customers to run the provided queries in this Threat Advisory within the DTEX InTERCEPT platform.

INVESTIGATION

Detection Queries

The following queries can be used to help surface potential IoCs related to the threat actor on host systems or to surface the existence or usage of MOVEit software.

The following query can be used to surface if the MOVEit software exists anywhere within an environment where DTEX has been deployed:

Process_Name:(*moveit*)

During exploitation a newly staged human2.aspx file is created within the C:\MOVEitTransfer\wwwroot\ directory. The following query should be used to surface any activity where the file name might exist within an environment:

Source_File_Name:(*human2*) OR Destination_File_Name:(*human2*)

The following strings might be seen within the process parameters via activity from the exploitation:

Process_Parameters:(*X-siLock* OR *Response\.StatusCode* OR *Encryption\.OpenFileForDecryption*)

CONCLUSION

Criminal ransomware groups are always evolving their Tactics, Techniques, and Procedures (TTPs) and, when possible, often use living-of-the-land as a way to avoid detection from EDRs, particularly before the execution of ransomware. Fortunately, they often will do this once they have successfully compromised another user account or create their own. These behavior traits are key indicators for the DTEX platform to uncover since once a threat actor has breached an organization they are then just operating as a malicious insider.

INVESTIGATIONS SUPPORT

For intelligence or investigations support, contact the i³ team.

RESOURCES

NIST National Vulnerability Database: NVD – CVE-2023-34362

The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

CISA Cybersecurity Advisory AA23-158A

The Cybersecurity & Infrastructure Security Agency (CISA) regularly release timely and relevant information on trending threats facing American Critical Infrastructure. This CSA highlights evolving threat, and TTPs posed by the Criminal Ransomware Operator, Cl0p, and the zero-day exploitation of MOVEit Transfer.

MITRE ATT&CK, Technique T1190

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

YARA Rules for MOVEit Transfer

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virus total and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.

The resource link provides YARA rules related to the Cl0p attack campaign that used MOVEit Transfers vulnerability.

Huntress Blog on Rapid Response to CVE-2023-34362

Based on response conducted by John Hammond at Huntress this blog gives insight into what and how this compromise could typically unfold.

RETURN TO i³ INSIDER RISK RESEARCH HUB
CONTACT i³

OUT NOW ...

2024 Insider Risk Investigations Report

DTEX i³ has released its annual Insider Risk Investigations Report.

This year’s report reveals groundbreaking insights into the behavioral indicators of both malicious and super malicious insiders at every stage of the insider threat kill chain. The report also reveals the growing threat and complexity of foreign interference, and how to proactively mitigate risks associated with advanced social engineering against a backdrop of geopolitical tension and technological disruption.

Download your copy to stay one step ahead.

Download Report