More information is coming to light after news last week that a critical vulnerability in a secure file transfer Web application called MOVEit Transfer was being exploited by hackers. Microsoft tied some of the attacks to a threat actor associated with the Clop ransomware gang.
“Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer zero-day vulnerability to Lace Tempest, known for ransomware operations and running the Clop extortion site,” Microsoft’s Threat Intelligence team said on Twitter. “The threat actor has used similar vulnerabilities in the past to steal data and extort victims.”
This is not the first time that attackers associated with the Clop ransomware operation have exploited vulnerabilities in enterprise managed file transfer (MFT) tools. In January the gang exploited a zero-day remote-code execution vulnerability (CVE-2023-0669) in GoAnywhere MFT and claimed to have stolen data from 130 organizations. In 2020, members of the gang exploited a zero-day flaw in Accellion File Transfer Appliance (FTA).
The MOVEit Transfer campaign might have an even larger impact since there are around 3,000 deployments of this application exposed to the internet compared to around 1,000 of GoAnywhere. Zellis, a UK payroll provider used by companies such as British Airways, Boots, and the BBC, has already confirmed a breach through the MOVEit vulnerability. Google-owned threat intelligence and incident response company Mandiant reported that the attacks started on May 27 and already impacted organizations operating in a wide range of industries based in Canada, India, and the US.
Web shells leading to data theft
According to Microsoft, following the successful exploit, the attackers authenticate as the highest privileged user on the system and deploy a web shell with data exfiltration capabilities. Mandiant has dubbed the shell LEMURLOOT and said it is designed to interact with the MOVEit platform.
The web shell expects a certain string included in request headers which acts as a password to authenticate the attackers and allow them to issue commands. One of the commands instructs the script retrieve the Azure-related settings from the MOVEit Transfer application, including the Azure Blob storage attack and associated key. This allows the attackers to then perform SQL queries to enumerate the folders and files stored on Azure and retrieve any of them in compressed form.
According to an updated analysis by researchers from security firm Rapid7, all the observed compromises deployed the web shell with the name human2.aspx in the wwwroot folder of the MOVEit install directory. A legitimate file called human.aspx is also exists and is part of the MOVEit web interface.
The Rapid7 researchers have also identified a way to determine which files have been exfiltrated by the attackers. MOVEit can keep Windows event logs and some customers enable this functionality, which will result in information being recorded in a file called C:WindowsSystem32winevtLogsMOVEit.evtx. If it exists, this file should contain information about file downloads such as file name, file path, file size, IP address, and username that performed the download.
The MOVEit application also stores audit logs in its database and these can be queried to obtain similar information. The team from Progress Software, the developer of MOVEit Transfer, pointed out that administrators can build a custom report using the application’s built-in reporting functionality to list all file downloads for the months of May and June:
Criteria: Action = 'file_download' AND (LogTime LIKE '2023-05%' OR LogTime LIKE '2023-06%')
While the web shell particularly targets Azure databases, any database engine supported by MOVEit can be exploited through the CVE-2023-34362 vulnerability so organizations should deploy the available patch as soon as possible.
According to researchers from security firm Crowdstrike, a post-mortem investigation can also be done by using the records stored in the MOVEit database, which the web shell hijacks by creating or hijacking a user with permission level 30. Therefore the database can be queried — queries are included in their report for MSSQL and MySQL to identify privileged users of interest.
The activesessions table in the database can also be queried for suspicious activity and the log table can be queried for action=file_download events to see which files have been downloaded over the relevant period of time when the attack took place.
Separately, logs from the IIS web server can also be used in the forensic analysis to determine attacker IP addresses. Entries with cs_uri_stem=/download that have a cs_Referer from human.aspx and contain an IP address rather than a domain name could have attacker-owned IP addresses in the c_ip field, the researchers said.
In cases where a compromise is suspected the recommendation is to create an image of the MOVEit Transfer Web Server system Including the wwwroot data, create a backup dump of the MOVEit database and retain available network logs (WAF, Firewall, Netflow, ELB, ALB, NSG Flow, VPC Flow, etc.).
“While Mandiant currently has insufficient evidence to attribute this recent activity to a known threat actor, it is reminiscent of prior mass exploitation events targeting file transfer software and leading to FIN11-attributed data theft extortion via the CL0P^_- LEAKS data leak site (DLS),” Mandiant said in its report, hinting at a likely Clop connection. “In multiple cases, several weeks after the attackers steal data, FIN11 sent emails demanding an extortion payment in return for not publishing the data on the CL0P^_- LEAKS DLS.”
Copyright © 2023 IDG Communications, Inc.