MOVEit Transfer is a secure managed file transfer (MFT) software that enables organizations to securely and efficiently transfer files. However, a critical zero-day vulnerability in MOVEit Transfer has been exploited by threat actors to steal data from various organizations across different industries and regions.
The vulnerability, identified as CVE-2023-34362, is a SQL injection flaw that affects the MOVEit Transfer web application. An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted request to a vulnerable MOVEit Transfer instance. Successful exploitation would grant the attacker access to the underlying MOVEit Transfer instance and the database containing sensitive information.
Attack Method and Threat Actors
According to reports, evidence of exploitation first appeared on May 27, 2023, leading to the deployment of web shells and subsequent data theft. The threat actors behind this campaign, designated as UNC4857 by Mandiant, remain unidentified but have been observed leveraging this vulnerability extensively.
Web Shell LEMURLOOT
UNC4857 utilizes a web shell called LEMURLOOT, disguised as “human.aspx,” a legitimate component of the MOVEit Transfer software. LEMURLOOT provides functionality tailored to execute on MOVEit Transfer systems, including file and folder enumeration, configuration information retrieval, and the creation or deletion of a user with a hardcoded name.
Data Theft and Azure Integration
Initial analysis suggests that LEMURLOOT is primarily used to steal previously uploaded data from individual MOVEit Transfer systems. Mandiant has documented cases where significant volumes of files have been stolen from victims’ MOVEit Transfer systems. Additionally, LEMURLOOT can pilfer Azure Storage Blob information, including credentials from MOVEit Transfer application settings, implying that actors exploiting this vulnerability may be targeting files stored in Azure Blob storage.
This is not the first instance of a zero-day vulnerability in an MFT solution being exploited in 2023. In February, Fortra (formerly HelpSystems) disclosed a pre-authentication command injection zero-day vulnerability in its GoAnywhere MFT solution, which was also utilized for data theft. The discovery and exploitation of these zero-day vulnerabilities in MFT solutions pose a severe threat to organizations relying on them for secure file transfer, jeopardizing sensitive data such as financial records, personal information, intellectual property, and health records.
To mitigate this threat, organizations should promptly apply the latest patches provided by Progress Software for MOVEit Transfer. Progress Software has also issued workarounds and mitigations for customers unable to apply patches immediately. Additionally, organizations should monitor their MOVEit Transfer systems for signs of compromise or suspicious activity, such as unusual network traffic or file transfers.
Enhancing Incident Response
Organizations should consider adopting automation and collaboration tools to enhance their cybersecurity incident response capabilities. Automation can significantly reduce the time and effort required to respond, investigate, and contain incidents, while collaboration fosters improved communication and coordination among different teams and stakeholders. Leveraging automation and collaboration tools enables cybersecurity incident response service providers to effectively handle the surge in cyberattacks and assist as many customers as possible within the available resources.