Keypoints
- Multiple critical SQL injection vulnerabilities in MOVEit Transfer (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) allow unauthenticated remote exploitation and database access.
- Attackers follow a repeatable sequence of requests (health/token checks, folder listing, resumable file uploads, SQL injection via moveitisapi.dll) to implant a web shell named human2.aspx or _human2.aspx.
- The implanted web shell uses a generated 36-character password and a custom HTTP header (X-siLock-Comment) for authentication; it returns 404 if the header is absent.
- Exploitation can enable database enumeration, modification, deletion, and data exfiltration; the CL0P ransomware group has been observed exploiting the vulnerability and deploying a web shell called LEMURLOOT.
- Detection guidance: check IIS access logs for the specific request sequence and headers, and scan MOVEitTransfer wwwroot for human2.aspx/_human2.aspx; registry keys point to root and log locations.
- Mitigations: immediately block HTTP/HTTPS access to vulnerable MOVEit instances until patched, apply vendor fixes for affected versions, and enable network/SSL inspection and C2 protections.
- Zscaler has published threat signatures and AppProtection rules to detect and block the exploitation and related payloads.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – SQL injection against MOVEit web endpoints to gain unauthorized access and execute database queries (‘Perform SQL injection – POST /moveitisapi/moveitisapi.dll – on port 443’).
- [T1105] Ingress Tool Transfer – Uploading a malicious ASPX file (web shell) via resumable file upload endpoints to place remote code (‘Upload file – POST /api/v1/folders/[PATH]/files uploadType=resumable – on port 443’).
- [T1505.003] Web Shell – Deployment and use of a malicious human2.aspx web shell to run commands and interact with the database (‘Access WebShell – GET /human2.aspx – on port 443’).
- [T1071] Application Layer Protocol – Command-and-control communication using HTTP with a custom header for authentication (‘The adversary communicates with the webshell over HTTP protocol with … custom header … named “X-siLock-Comment”’).
- [T1041] Exfiltration Over C2 Channel – Using the implanted web shell and SQL queries to extract sensitive data from MOVEit databases (‘The Internet facing MOVEit Transfer web applications were infected … which was then used to steal data from the victim’s machine and underlying MOVEit Transfer databases.’)
Indicators of Compromise
- [File name] Malicious web shell – human2.aspx, _human2.aspx (stages SQL account and provides remote access).
- [Endpoints/URLs] Exploitation sequence – /moveitisapi/moveitisapi.dll, /guestaccess.aspx, /api/v1/folders/[PATH]/files (used for SQLi, session prep, and file upload).
- [HTTP Headers] Custom authentication and control headers – X-siLock-Comment, X-siLock-Step1 (used by the web shell for auth and staging).
- [Threat artifacts] Observed payload/webshell name and actor – LEMURLOOT web shell, CL0P activity (used to exfiltrate data after compromise).
Attackers exploit MOVEit Transfer by first probing the application (app/health checks and token retrieval), then enumerating folders and performing resumable file uploads to place a malicious ASPX web shell (commonly human2.aspx). The SQL injection point is invoked via moveitisapi.dll with crafted headers; guestaccess.aspx is used to prepare sessions and extract tokens needed for subsequent requests. Once the web shell is written to the MOVEit webroot it generates a 36-character password and requires a custom HTTP header (X-siLock-Comment) containing that password for authenticated interactions, otherwise it returns 404.
With the web shell authenticated, attackers use SQL queries tailored to the backend database (MySQL, MS SQL Server, or Azure SQL) to enumerate schema, read, modify, or delete data, and to exfiltrate sensitive contents. The typical exploitation sequence to look for in logs is guestaccess.aspx → moveitisapi.dll → upload (PUT/POST to /api/v1/folders/…/files) → machine2.aspx interactions → access to human2.aspx; header names X-siLock-Comment, X-siLock-Step1/2/3 are confirmed telemetry for compromises.
Detection and remediation steps: immediately block external HTTP/HTTPS access to vulnerable MOVEit instances until vendor patches are applied; scan MOVEitTransfer wwwroot for human2.aspx or _human2.aspx; review IIS access logs for the above request sequence and the custom headers; consult registry keys HKEY_LOCAL_MACHINESOFTWAREStandard NetworkssiLockWebBaseDir and …LogsBaseDir to locate application root and logs. Apply Progress fixes for affected versions, enable SSL inspection and application-layer C2 protections, and use available IDS/AV/AppProtection signatures to block known exploit patterns and payloads.