i³ Threat Advisory: MOVEit - CVE-2023-34362

ACT NOW TO MITIGATE RISK

  1. Monitor and reduce, where possible, the use of remote access tools.
  2. Implement application controls to manage and control execution of software, including allow listing remote access programs.
  3. Strictly limit the use of Remote Desktop Protocol (RDP) and other remote desktop services.
  4. Disable command-line and scripting activities and permissions.
  5. Restrict the use of PowerShell, using Group Policy, and only grant to specific users on a case-by-case basis.
  6. Update PowerShell or PowerShell Core to the latest version and disable older versions.
  7. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  8. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  9. Reduce the threat of credential compromise by:
    • Placing domain admin accounts in the protected users’ group to prevent caching of password hashes locally.
    • Refraining from storing plaintext credentials in scripts.
  10. Implement time-based access for accounts set at the admin level and higher.

INTRODUCTION

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a Cybersecurity Threat Advisory related to the ongoing exploitation of a vulnerability found within Progress Software’s manager file transfer solution known as MOVEit Transfer (herby referred to as MOVEit). MOVEit is used to manage an organization’s file transfer operations and has a web application that supports MySQL, Microsoft SQL Server, and Azure SQL database engines.

In May 2023, the CL0P ransomware group exploited a SQL injection zero-day vulnerability CVE-2023-34362 to install a web shell named LEMURLOOT on MOVEit web applications [T1190] [1]. The web shell was initially observed with the name human2.aspx in an effort to masquerade as the legitimate human.aspx file present as part of MOVEit software. DTEX advises customers to run the provided queries in this Threat Advisory within the DTEX InTERCEPT platform.

INVESTIGATION

Detection Queries

The following queries can be used to help surface potential IoCs related to the threat actor on host systems or to surface the existence or usage of MOVEit software.

The following query can be used to surface if the MOVEit software exists anywhere within an environment where DTEX has been deployed:

Process_Name:(*moveit*)

During exploitation a newly staged human2.aspx file is created within the C:\MOVEitTransfer\wwwroot\ directory. The following query should be used to surface any activity where the file name might exist within an environment:

Source_File_Name:(*human2*) OR Destination_File_Name:(*human2*)

The following strings might be seen within the process parameters via activity from the exploitation:

Process_Parameters:(*X-siLock* OR *Response\.StatusCode* OR *Encryption\.OpenFileForDecryption*)

CONCLUSION

Criminal ransomware groups are always evolving their Tactics, Techniques, and Procedures (TTPs) and, when possible, often use living-of-the-land as a way to avoid detection from EDRs, particularly before the execution of ransomware. Fortunately, they often will do this once they have successfully compromised another user account or create their own. These behavior traits are key indicators for the DTEX platform to uncover since once a threat actor has breached an organization they are then just operating as a malicious insider.

INVESTIGATIONS SUPPORT

For intelligence or investigations support, contact the i³ team.

RESOURCES

NIST National Vulnerability Database: NVD – CVE-2023-34362

The NVD is the U.S. government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

CISA Cybersecurity Advisory AA23-158A

The Cybersecurity & Infrastructure Security Agency (CISA) regularly release timely and relevant information on trending threats facing American Critical Infrastructure. This CSA highlights evolving threat, and TTPs posed by the Criminal Ransomware Operator, Cl0p, and the zero-day exploitation of MOVEit Transfer.

MITRE ATT&CK, Technique T1190

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

YARA Rules for MOVEit Transfer

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virus total and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.

The resource link provides YARA rules related to the Cl0p attack campaign that used MOVEit Transfers vulnerability.

Huntress Blog on Rapid Response to CVE-2023-34362

Based on response conducted by John Hammond at Huntress this blog gives insight into what and how this compromise could typically unfold.

i³ Mission

DTEX i³ Mission Statement

DTEX i³’s mission is to uplift enterprise security by proactively detecting and mitigating insider risks.

Combining 20 years of insider risk experience with our potential risk indicators, we empower organizations to stay resilient, and maintain control of their public narrative and global success.

Importantly, DTEX i³ often discovers wider security threats that extend beyond insider risks. Such external threats are typically the outcome of an insider incident, not the intention of the insider.

In both cases, DTEX i³ prioritizes detection and deterrence, helping organizations do away with reactive incident response.

Contact i³