What you need to know
- Unpatched versions of the MOVEit Transfer file management web application are critically vulnerable to SQL injection (reported as CVE-2023-34362).
- The vulnerability affects all versions of MOVEit Transfer earlier than 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
- Since at least May 27th, the vulnerability has been exploited in the wild on a large scale by a known cybercrime group. Criminals are extracting any data they can grab after installing the LEMURLOOT web shell as a backdoor.
- All organizations using MOVEit Transfer are advised to immediately block all HTTP traffic to and from the application, investigate for signs of compromise, and apply the official fix (see official vendor guidance).
As the US settled in for a long Memorial Day weekend on May 27th, 2023, researchers at Mandiant started tracking incidents involving remote exploitation of a zero-day vulnerability followed by data theft from MOVEit Transfer, a managed file transfer application from Progress Software Corporation. On May 31st, Progress disclosed the underlying issue – an SQL injection vulnerability assigned CVE-2023-34362 – and published fixes for all affected versions.
Reports soon started coming in of several large organizations suffering data breaches related to the vulnerability, and CISA promptly added the weakness to its catalog of known exploited vulnerabilities. As of this writing, the personal information of at least 100,000 individuals is known to have been stolen, on top of unknown but large amounts of corporate data that may be used for future extortion or ransomware schemes.
Who is affected today or may soon be affected
Progress itself claims that MOVEit Transfer is used by “thousands of organizations worldwide,” including enterprises and government entities. Any organization using a pre-May-31st version of MOVEit Transfer may be vulnerable and should take immediate action to lock down HTTP traffic to and from the application, investigate for signs of compromise, and update to a fixed version. While confirmed attacks started in late May, some reports suggest the first indications of attack probes go as far back as early March, so that’s when log analysis should begin.
The BBC has reported several UK organizations have already confirmed data breaches (including the BBC itself). The Mandiant report suggests the current attacks are opportunistic rather than targeted, with cybercriminals rapidly siphoning off as much data as possible, often within 5 minutes of initial exploitation. Microsoft is attributing the attacks to known ransomware threat actor Lace Tempest (aka Cl0p), so the data theft is primarily expected to result in extortion attempts and other financial demands against organizations. Individuals whose personal data has been stolen from a compromised database may not be targeted directly but could still be at risk of fraud or identity theft if that information is sold on later.
How the MOVEit Transfer hack works
As documented so far, the attack starts with SQL injection that allows access to an organization’s MOVEit database. While this in itself would be sufficient to extract some data, the main danger comes from a customized LEMURLOOT web shell that is associated with the file human2.aspx, named to mimic one of the legitimate MOVEit files. Once installed, this establishes a back door that allows attackers to access the underlying Azure Storage account, browse available information, and move out data in large amounts.
The vulnerability reported by Progress only mentions SQL injection, but the confirmed use of a web shell suggested that SQLi only provides an initial foothold which then allows for remote code execution (RCE) or command injection, perhaps combined with a separate file upload vulnerability. Investigation by John Hammond has confirmed that the attack chain includes RCE to compile the web shell as a DLL file based on the data provided in human2.aspx.
The LEMURLOOT web shell communicates with its operator over HTTP, using custom HTTP header fields to receive commands and return data. The shell is tailored to MOVEit environments, allowing attackers to browse available files, create a temporary user account, extract Azure settings, and download data.
Remediation and hardening for MOVEit Transfer users
As with any attack that involves a web shell or other persistent backdoor, the procedure is to block, clean, and patch. In this case, this means isolating MOVEit Transfer from all HTTP traffic, looking for signs of compromise (attack traffic in logs and/or known web shell files on the server), updating to the fixed version, restarting, and monitoring for any suspicious activity. Note that local administrator access via FTP is still possible while HTTP is locked down. Mandiant has prepared a detailed containment and hardening guide for MOVEit Transfer users affected by the vulnerability.
Final thoughts: SQL injection is not dead – not by a long way
Considering that it’s only been a week since official disclosure and the list of private and public sector entities that use MOVEit Transfer is extensive, we can expect to hear a lot more about this vulnerability and the data breaches it brings. Beyond the usual advice to apply security patches immediately and monitor systems for suspicious activity, this crisis hammers home two reminders: that SQL injection is still a thing and that threat actors are exploiting popular third-party tools as force multipliers to attack multiple organizations with one toolkit.
While tech conversations tend to focus on more sexy database tech like NoSQL or the various distributed storage solutions, the reality is that SQL databases are still where the majority of the world’s data lives – so that’s what malicious actors are targeting. For all the “it’s 2023 and people are still introducing SQLi vulnerabilities” talk, research like the recent Invicti AppSec indicator confirms that these flaws, while not as common as a decade ago, are definitely not going away, and that security testing is a must to prevent them from making it into production. This latest hack also illustrates that SQLi can serve as an entry point for far more elaborate and dangerous attacks.
The other moral of the story is that cybercrime groups are always looking for maximum returns from their efforts. Instead of attacking organizations head-on, they will often try to carefully compromise a popular third-party product and use it as a backdoor into thousands of victims’ systems. From SolarWinds Orion through Kaseya to this latest attack, supply-chain attacks are here to stay – because they provide bad actors with exponentially more bang for their buck.