MOVEit Transfer Exploited to Drop File

By Alex Delamotte and James Haughom

SentinelOne has observed in-the-wild (ITW) exploitation of CVE-2023-34362, a vulnerability in the MOVEit file transfer server application. The attack delivers a Microsoft IIS .aspx payload that enables limited interaction between the affected web server and connected Azure blob storage. On June 5, the Cl0p ransomware group claimed responsibility for these attacks, though SentinelOne notes the targeting of a file transfer application vulnerability resembles other exploitation conducted by financially motivated actors throughout early 2023.

In this post, we provide technical details of the attack chain along with hunting queries and a PowerShell script that can be used to scan for potential exploitation of the MOVEit Transfer vulnerability.

Through the last week of May and early June 2023, SentinelOne observed active exploitation of Windows servers running a vulnerable version of Progress Software's MOVEit Transfer file server application. The attack delivers a minimal webshell that the attacker can use to exfiltrate the contents of files, including files hosted in Microsoft Azure when the targeted MOVEit instance is configured to use Azure's blob storage service. As of June 5, the Cl0p ransomware group claimed responsibility for these campaigns.

While exploitation is likely opportunistic, SentinelOne observed attacks against more than 20 organizations in the following sectors, with Managed Security Service Providers (MSSP) and Managed Information Technology Service Providers (MSP) impacted most frequently:

The vulnerability impacts the following versions of MOVEit Transfer:

These attacks are conducted against Windows servers running a vulnerable version of the MOVEit file transfer application, which attackers can identify through port scanning or internet indexing services like Shodan.

Progress Software recently published an advisory detailing a vulnerability in MOVEit Transfer that could enable privilege escalation and unauthorized access to the targeted environment. The advisory details the issue as a SQL injection vulnerability-reported as CVE-2023-34362–which can allow an unauthorized attacker to inject SQL commands and obtain information from the targeted database.

The attack chain leverages this vulnerability to conduct an arbitrary file upload via the moveitsvc service account to the server's \MOVEitTransfer\wwwroot\ directory. The system's svchost.exe process launches w3wp.exe, a Microsoft Internet Information Service (IIS) worker process, which then writes several files to a new working directory in Temp. The working directory and subsequent files share the same 8-character, pseudo-random naming syntax, with one example writing the following files:

The w3wp.exe process launches csc.exe to compile the C# code into the payload, which is saved as human2.aspx. The payload is a minimal webshell that queries information about the database configuration, enabling the actor to:

To exfiltrate files, the attacker can specify the targeted object's File ID and Folder ID in HTTP headers of a request made to the webshell. The shell then returns the specified file's content as a Gzip object in the server's HTTP response. The shell also deletes the existing user named "Health Check Service" and creates a new user with the same username, likely as a means of persistence.

At the time of writing, SentinelOne has not observed subsequent activity following placement of the webshell.

Organizations using MOVEit Transfer should upgrade affected systems immediately. In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Ensure your security team can access and analyze application logs from servers that run MOVEit Transfer, including Microsoft IIS logs.

Because exploitation occurs through interaction with MOVEit Transfer at the application level, detection opportunities for Endpoint Detection & Response (EDR) tooling are limited to later-stage activity. SentinelOne notes that each payload is dynamically compiled at runtime, resulting in a unique hash for each victim. While we are providing a list of hashes associated with payloads delivered through these campaigns, organizations should not rely on hashes alone to detect these attacks.

We recommend that organizations using MOVEit Transfer conduct threat hunts and log analysis using the resources provided below.

SentinelOne is providing the following queries that organizations can use to hunt for activity associated with these attacks. While these queries are not necessarily inclusive of all attack scenarios, the results should be investigated and triaged. Additionally, defenders should look for unusual activity initiated by the MOVEit Transfer service account: the default value is moveitsvc, though some instances may have a custom account name.

In addition to these queries, SentinelOne is providing a script to scan for potential exploitation of the MOVEit Transfer vulnerability.

Based on the activity observed by SentinelOne, we believe the attacker's goal is to establish access to as many victim environments as possible to conduct file exfiltration at scale.

While the Cl0p ransomware group claimed credit for these attacks, SentinelOne notes that these techniques align with a broader trend of financially motivated attacks against web servers running vulnerable file transfer software. This category of activity includes attacks against Aspera Faspex software that delivered IceFire ransomware earlier in 2023, as well as attacks attributed to Cl0p that exploited a 0-day flaw in the GoAnywhere managed file transfer (MFT) application. Based on the relative increase in file transfer server attacks that use 0-day and N-day exploits, there is likely an abundant exploit development ecosystem focused on enterprise file transfer applications.

The actor's choice to use the MOVEit flaw to target files in Azure cloud storage is notable, if this activity is solely associated with the Cl0p ransomware group. Cloud-focused extortion actors like Bianlian and Karakurt use multipurpose file management tools like Rclone and Filezilla. A bespoke webshell designed to steal Azure files through SQL queries specific to the targeted environment represents a notable departure from this established norm and suggests the tooling was likely developed and tested well in advance of ITW attacks.

Files associated with exploitation of vulnerable MOVEit Transfer instances include the following.

SHA1d013e0a503ba6e9d481b9ccdd119525fe0db765234d4b835b24a573863ebae30caab60d6070ed9aac8e03cb454034d5329d810bbfeb2bd2014dac16deee9451901badbfbcf920fcc5089ddc1ee4ec06d73f19114d61bd09789788782f407f6fe1d6530b97d91f5b03932793ff32ad99c5e611f1e5e7fe561a2f74b02f29f5b1a9fe3efe68c8f48c717be45c2c756c290729981d3804681e94b73d6f0be17914611608a031358817324568db9ece1f09e74de4719b8704c96436ffcbd93f954158fa374df05ddf7f6

Like this article? Follow us on LinkedIn,Twitter,YouTube or Facebook to see the content we post.