i³ Threat Advisory: MOVEit - CVE-2023-34362
ACT NOW TO MITIGATE RISK
- Monitor and reduce, where possible, the use of remote access tools.
- Implement application controls to manage and control execution of software, including allow listing remote access programs.
- Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services.
- Disable command-line and scripting activities and permissions.
- Restrict the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis.
- Update PowerShell or PowerShell Core to the latest version and disable older versions.
- Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
- Reduce the threat of credential compromise by:
- Placing domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
- Refraining from storing plaintext credentials in scripts.
- Implement time-based access for accounts set at the admin level and higher.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Cybersecurity Threat Advisory related to the ongoing exploitation of a vulnerability found within Progress Software’s manager file transfer solution known as MOVEit Transfer (herby referred to as MOVEit). MOVEit is used to manage an organization’s file transfer operations and has a web application that supports MySQL, Microsoft SQL Server, and Azure SQL database engines.
In May 2023, the CL0P ransomware group exploited a SQL injection zero-day vulnerability CVE-2023-34362 to install a web shell named LEMURLOOT on MOVEit web applications [T1190] . The web shell was initially observed with the name human2.aspx in an effort to masquerade as the legitimate human.aspx file present as part of MOVEit software. DTEX advises customers to run the provided queries in this Threat Advisory within the DTEX InTERCEPT platform.
The following queries can be used to help surface potential IoCs related to the threat actor on host systems or to surface the existence or usage of MOVEit software.
The following query can be used to surface if the MOVEit software exists anywhere within an environment where DTEX has been deployed:
During exploitation a newly staged human2.aspx file is created within the C:\MOVEitTransfer\wwwroot\ directory. The following query should be used to surface any activity where the file name might exist within an environment:
Source_File_Name:(*human2*) OR Destination_File_Name:(*human2*)
The following strings might be seen within the process parameters via activity from the exploitation:
Process_Parameters:(*X-siLock* OR *Response\.StatusCode* OR *Encryption\.OpenFileForDecryption*)
Criminal ransomware groups are always evolving their Tactics, Techniques, and Procedures (TTPs) and, when possible, often use living-of-the-land as a way to avoid detection from EDRs, particularly before the execution of ransomware. Fortunately, they often will do this once they have successfully compromised another user account or create their own. These behavior traits are key indicators for the DTEX platform to uncover since once a threat actor has breached an organization they are then just operating as a malicious insider.
For intelligence or investigations support, contact the i³ team.
NIST National Vulnerability Database: NVD – CVE-2023-34362
The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.
The Cybersecurity & Infrastructure Security Agency (CISA) regularly release timely and relevant information on trending threats facing American Critical Infrastructure. This CSA highlights evolving threat, and TTPs posed by the Criminal Ransomware Operator, Cl0p, and the zero-day exploitation of MOVEit Transfer.
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virus total and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.
The resource link provides YARA rules related to the Cl0p attack campaign that used MOVEit Transfers vulnerability.
Based on response conducted by John Hammond at Huntress this blog gives insight into what and how this compromise could typically unfold.