What is CVE-2023-34362?
CVE-2023-34362 is a critical zero-day vulnerability discovered in MOVEit Transfer, a managed file transfer (MFT) software developed by Progress Software. Used widely for secure file transfers, MOVEit Transfer counts approximately 1,700 software companies as users, including the US Department of Homeland Security. This vulnerability is a SQL injection flaw, opening the gates for unauthorized access and manipulation of the database and its content.
Threat Summary
The Lace Tempest group, notorious for ransomware operations and operating the Clop extortion site, has been attributed by Microsoft for exploiting the CVE-2023-34362 vulnerability. The exploitation leads to the deployment of a web shell named "human2.aspx", inserted into the "wwwroot" directory. This web shell is capable of listing all folders, files, and users within MOVEit, downloading any file within the software, and establishing an administrative backdoor user, allowing attackers to maintain persistence. The aftermath of this exploitation has been alarming, with mass exploitation and data exfiltration observed by Mandiant, a leading cybersecurity firm.
Technical Overview
Once the SQL injection vulnerability is successfully exploited, the attackers deploy the web shell "human2.aspx" in the "wwwroot" directory. This web shell is a tool of persistence, helping the attackers maintain access and evade detection by inserting an administrative backdoor user and adding a new admin user account session named "Health Check Service." Various malicious actions can be executed based on the value of the 'X-siLock-Step1', 'X-siLock-Step1', and 'X-siLock-Step3' network request headers.
The exploitation has resulted in significant data exfiltration, indicating widespread attacks. The attackers managed to exploit the vulnerability even before Progress Software could release patches, making it essential for impacted organizations to thoroughly review their environments for any indicators of compromise.
Given the risk, it is strongly advised that organizations using MOVEit Transfer take immediate mitigation measures, including installing patches, monitoring for signs of exploitation, and conducting thorough investigations. This includes checking for the presence of the "human2.aspx" web shell, unusual outbound network transfers, and the unauthorized "Health Check Service" user account.
To arm yourself against such a threat and to leverage the power of knowledge, why not consider getting the free hunting content for this vulnerability? Our dedicated detection engineering and research teams at Cyborg Security are actively developing Hunt Packages to aid in the detection of this threat. Sign up for a free account here, and gain access to hunting content for this vulnerability, along with other insightful resources. Stay a step ahead in your cybersecurity journey.