MOVEit transfer exploited to drop file-stealing SQL Shell
June 2023 by SentinelLabs
SentinelOne has observed in-the-wild (ITW) exploitation of CVE-2023-34362, a vulnerability in the MOVEit file transfer server application. The attack delivers a Microsoft IIS .aspx payload that enables limited interaction between the affected web server and connected Azure blob storage. On 5th June, the Cl0p ransomware group claimed responsibility for these attacks, though SentinelOne notes the targeting of a file transfer application vulnerability resembles other exploitation conducted by financially motivated actors throughout early 2023.
SentinelOne’s analysis provides technical details of the attack chain along with hunting queries and a PowerShell script that can be used to scan for potential exploitation of the MOVEit transfer vulnerability.
Through the last week of May and early June 2023, SentinelOne observed active exploitation of Windows servers running a vulnerable version of Progress Software’s MOVEit transfer file server application. The attack delivers a minimal webshell that the attacker can use to exfiltrate the contents of files, including files hosted in Microsoft Azure when the targeted MOVEit instance is configured to use Azure’s blob storage service.
While exploitation is likely opportunistic, SentinelOne observed attacks against more than 20 organisations in various sectors, with Managed Security Service Providers (MSSP) and Managed Information Technology Service Providers (MSP) impacted most frequently.
The vulnerability impacts the following versions of MOVEit transfer:
• MOVEit Transfer 2023.0.0: fixed in 2023.0.1
• MOVEit Transfer 2022.1.x: fixed in 2022.1.5
• MOVEit Transfer 2022.0.x: fixed in 2022.0.4
• MOVEit Transfer 2021.1.x: fixed in 2021.1.4
• MOVEit Transfer 2021.0.x: fixed in 2021.0.6
SentinelOne recommends to organisations using MOVEit transfer to upgrade affected systems immediately. In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Businesses need to ensure that the security team can access and analyse application logs from servers that run MOVEit transfer, including Microsoft IIS logs.
Based on the activity observed by SentinelOne, the team believes the attacker’s goal is to establish access to as many victim environments as possible to conduct file exfiltration at scale.
While the Cl0p ransomware group claimed credit for these attacks, SentinelOne notes that these techniques align with a broader trend of financially motivated attacks against web servers running vulnerable file transfer software. This category of activity includes attacks against Aspera Faspex software that delivered IceFire ransomware earlier in 2023, as well as attacks attributed to Cl0p that exploited a 0-day flaw in the GoAnywhere managed file transfer (MFT) application. Based on the relative increase in file transfer server attacks that use 0-day and N-day exploits, there is likely an abundant exploit development ecosystem focused on enterprise file transfer applications.
The actor’s choice to use the MOVEit flaw to target files in Azure cloud storage is notable if this activity is solely associated with the Cl0p ransomware group. Cloud-focused extortion actors like Bianlian and Karakurt use multipurpose file management tools like Rclone and Filezilla. A bespoke webshell designed to steal Azure files through SQL queries specific to the targeted environment represents a notable departure from this established norm and suggests the tooling was likely developed and tested well in advance of ITW attacks.