.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Updated on July 10th, 2023
On June 7th, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on an actively exploited critical vulnerability found in MOVEit Transfer [1]. CVE-2023-34362 is a critical SQL injection vulnerability that leads to remote code execution, and it is exploited by a ransomware group named CL0P.
In this blog, we explain how the MOVEit Transfer CVE-2023-34362 SQLi vulnerability works and how CL0P ransomware exploits the CVE-2023-34362 vulnerability.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
What is MOVEit Transfer CVE-2023-34362 SQL Injection Vulnerability?
MOVEit Transfer is a managed file transfer (MFT) application by Progress Software designed to provide secure collaboration and automated file transfers of sensitive data. MOVEit Transfer is used by large organizations, including government and financial institutions worldwide, especially in the United States. On May 31st, 2023, Progress Software released a security advisory on MOVEit Transfer SQL injection vulnerability that can lead to privilege escalation and unauthorized remote access to the user's environment. CVE-2023-34362 vulnerability has not received a CVSS score; however, it is a critical zero-day vulnerability. A quick Shodan search shows that more than 2500 MOVEit servers are exposed to the Internet over ports 80 and 443, and 73% of them are located in the United States. Major organizations such as BBC, British Airways, Aer Lingus, the government of Nova Scotia, Zellis, and the University of Rochester were targeted in CVE-2023-34362 exploitation attacks.
The affected versions of MOVEit Transfer are given below.
|
Product Name |
Vulnerable Version |
Fixed Version |
|
MOVEit Transfer |
version 2023.0.0 (15.0) |
version 2023.0.1 |
|
version 2022.1.x (14.1) |
version 2022.1.5 |
|
|
version 2022.0.x (14.0) |
version 2022.0.4 |
|
|
version 2021.1.x (13.1) |
version 2021.1.4 |
|
|
version 2021.0.x (13.0) |
version 2021.0.6 |
|
|
version 2020.1.x (12.1) |
Special Patch Available |
|
|
version 2020.0.x (12.0) or older |
MUST upgrade to a supported version |
|
|
MOVEit Cloud |
Prod: version 14.1.4.94 or 14.0.3.42 Test: version 15.0.1.37 |
MOVEit Cloud systems are patched. |
On July 6th, 2023, Progress published an advisory on a new SQL injection vulnerability found on MOVEit Transfer. CVE-2023-36934 has a CVSS score of 9.1 (Critical) and affects versions 2020.1.11 (12.1.11), 2021.0.9 (13.0.9), 2021.1.7 (13.1.7), 2022.0.7 (14.0.7), 2022.1.8 (14.1.8), and 2023.0.4 (15.0.4).
MOVEit Transfer CVE-2023-34362 Exploit - How Does It Work?
The earliest exploitation of CVE-2023-34362 dates back to May 27th, 2023 and it is attributed to the CL0P ransomware group. Exploiting the zero-day vulnerability found in MOVEit Transfer allows adversaries to deploy webshell to the victims' environment and execute arbitrary commands. After exploiting CVE-2023-34362, CL0P threat actors deploy a web shell named LEMURLOOT to establish persistence in their victims' environment. LEMURLOOT is written in C#, and malware analysis showed that it requires authentication for incoming connections. Adversaries provide a hard-coded password in the "X-siLock-Comment" header and run commands that allow them to download their victims' sensitive files from MOVEit Transfer. If the authentication fails, the webshell returns a 404 "Not Found" error.
Figure 1: LEMURLOOT Authentication code snippet [2]
CL0P Ransomware
CL0P ransomware was first observed in February 2019 in an attack campaign run by TA505. Since then, it has become one of the most used ransomware in the Ransomware-as-a-Service (RaaS) market until the arrest of suspected CL0P members in June 2021 [3]. CL0P ransomware is a successor of CryptoMix ransomware, uses the double extortion method, and exfiltrates its victims' sensitive data prior to encryption.
TA505 cyber threat group is known to distribute CL0P ransomware via large-scale phishing campaigns. TA505 is estimated to have compromised more than 3,000 U.S.-based organizations and 8,000 global organizations [1].
How Picus Helps Simulate CL0P Ransomware Attacks?
We also strongly suggest simulating CL0P ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as LockBit Black, BlackBasta, and Maui, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for CL0P ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
78610 |
Cl0p Ransomware Campaign 2022 |
Attack Scenario |
|
51219 |
Clop Ransomware Download Threat |
Network Infiltration |
|
30539 |
Clop Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus Threat Library includes the following threats for MOVEit CVE-2023-34362 SQL Injection vulnerability:
|
Threat ID |
Threat Name |
Attack Module |
|
83575 |
MOVEit Transfer Web Attack Campaign |
Web Application |
|
53684 |
MOVEit CVE-2023-34362 SQL injection Vulnerability Download Threat |
Network Infiltration |
|
76762 |
MOVEit CVE-2023-34362 SQL injection Vulnerability Email Threat |
Email Infiltration (Phishing) |
Picus Threat Library includes the following threats for LEMURLOOT Webshell:
|
Threat ID |
Threat Name |
Attack Module |
|
20078 |
Webshell Web Attack Campaign - 2 |
Web Application |
Picus Threat Library includes the following threats for TA505 Threat Group:
|
Threat ID |
Threat Name |
Attack Module |
|
76380 |
TA505 Ransomware Campaign 2020 |
Attack Scenario |
|
76083 |
TA505 Threat Group Campaign Malware Downloader Download Threat |
Network Infiltration |
|
93517 |
TA505 Threat Group Campaign Malware Downloader Email Threat |
Email Infiltration (Phishing) |
|
41761 |
TA505 Threat Group Campaign Malware Download Threat - 1 |
Network Infiltration |
|
93777 |
TA505 Threat Group Campaign Malware Email Threat - 1 |
Email Infiltration (Phishing) |
|
66431 |
TA505 Threat Group Campaign Malware Download Threat - 2 |
Network Infiltration |
|
72220 |
TA505 Threat Group Campaign Malware Email Threat - 2 |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address CL0P ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for CL0P ransomware:
|
CL0P Ransomware Mitigation Signatures |
||
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
0EC09E0A8 |
Trojan.Win32.Generic.Win32.Generic.TC.2026NCcc |
|
Check Point NGFW |
0C72F204B |
Trojan.Win32.Generic.Win32.Generic.TC.34a4PsqI |
|
Check Point NGFW |
099C0F2BA |
Trojan.Win32.AZORult.TC.aef1mZTE |
|
Check Point NGFW |
092FF1006 |
Ransomware.Win32.Clop.TC.z |
|
Check Point NGFW |
0DC523B79 |
Trojan.Win32.Generic.Win32.Generic.TC.86dagzfu |
|
Check Point NGFW |
0CF0C16E3 |
Trojan.Win32.Clop.TC.589aUGea |
|
Check Point NGFW |
0A25D3C6C |
HEUR:Trojan-Ransom.Win32.Encoder.TC.cf5cLMof |
|
Check Point NGFW |
0FB52E178 |
Ransomware.Win32.Clop.TC.ceabLbeG |
|
Cisco FirePower |
W32.Auto:968307a367.in03.Talos |
|
|
Cisco FirePower |
Attribute:MdeClass-tpd |
|
|
Cisco FirePower |
W32.Auto:3d94c4a923.in03.Talos |
|
|
Cisco FirePower |
W32.Auto:94b76ce34e.in03.Talos |
|
|
Cisco FirePower |
Win.Ransomware.Klopransom::in03.talos |
|
|
Forcepoint NGFW |
|
File_Malware-Blocked |
|
Fortigate AV |
8003532 |
W32/HydraCrypt.P!tr.ransom |
|
Fortigate AV |
7991070 |
W32/Kryptik.GPOJ!tr |
|
Fortigate AV |
10008464 |
W32/KlopRansom.S!tr.ransom |
|
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
408691476 |
trojan/Win32 EXE.clop.n |
|
Palo Alto |
258945732 |
Malware/Win32.cleaman.gsv |
|
Palo Alto |
224687586 |
Trojan/Win32.zudochka.m |
|
Palo Alto |
407907849 |
trojan/Win32 EXE.malware.axkc |
|
Palo Alto |
382924014 |
trojan/Win32 EXE.hydracrypt.eb |
|
Palo Alto |
386372397 |
trojan/Win32 EXE.hydracrypt.ec |
|
Palo Alto |
322065612 |
Trojan/Win32.ransom.quo |
|
Palo Alto |
379726866 |
trojan/Win32 EXE.encoder.tc |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a. [Accessed: Jun. 09, 2023]
[2] N. Noll, "Critical Vulnerability in Progress MOVEit Transfer: Technical Analysis and Recommendations," TrustedSec, Jun. 01, 2023. [Online]. Available: https://www.trustedsec.com/blog/critical-vulnerability-in-progress-moveit-transfer-technical-analysis-and-recommendations/. [Accessed: Jun. 09, 2023]
[3] H. C. Yuceel, "Clop Ransomware Gang," Aug. 22, 2022. [Online]. Available: https://www.picussecurity.com/resource/clop-ransomware-gang. [Accessed: Jun. 09, 2023]
