Threat Research

MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response

Securonix

MOVEit Transfer suffered a critical vulnerability (CVE-2023-34362) that enables SQL injection with potential admin access, arbitrary code execution, and ransomware deployment. Huntress documents the full attack chain, including a persistent webshell (human2.aspx) and widespread public exposure of MOVEit servers, with updates noting new CVEs and attribution to Lace Tempest/cl0p. #MOVEitTransfer #CVE-2023-34362 #CVE-2023-35036 #LaceTempest #cl0p #human2.aspx

Keypoints

  • There is a severe MOVEit Transfer web application vulnerability that offers SQL injection, which can lead to administrative access, file exfiltration, and arbitrary code execution.
  • Huntress fully recreated the attack chain and noted that over 2,500 MOVEit public-facing servers exist, though fewer organizations observed the full chain.
  • The attack path shown includes web requests such as guestaccess.aspx, API calls, and moveitisapi.dll, culminating in the deployment of a human2.aspx webshell for persistence.
  • The human2.aspx backdoor enforces a static password via the X-siLock-Comment header and can perform actions like leaking data, listing files, or creating a long-running admin session.
  • The backdoor artifacts include pre-compiled DLLs (e.g., App_Web_wrpngvm2.dll) and the human2.aspx file, indicating runtime compilation/persistence steps.
  • Since May–June 2023, multiple CVEs have been described (CVE-2023-34362, CVE-2023-35036), with attribution of the threat cluster to Lace Tempest/cl0p in various disclosures.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The MOVEit Transfer web application frontend offers SQL injection that can be exploited to gain administrative access, exfiltrate files and achieve arbitrary code execution. “There is a severe vulnerability in the MOVEit Transfer web application frontend that offers SQL injection, that can be further abused to gain administrative access, exfiltrate files and gain arbitrary code execution.”
  • [T1105] Ingress Tool Transfer – The backdoor components (e.g., moveitisapi.dll) are used to perform SQL injection when requested with specific headers. “moveitisapi.dll[…] is used to perform SQL injection when requested with specific headers.”
  • [T1505.003] Web Shell – The observed webshell (human2.aspx) is deployed for persistence; it enforces a static password via a header and provides capabilities to leak data and manage sessions. “the backdoor will return a 404 with no further function… This password seems to vary… human2.aspx webshell.”
  • [T1059] Command and Scripting Interpreter – The attack timeline includes w3wp.exe executing the C# compiler (csc.exe) to compile the human2.aspx backdoor. “w3wp.exe execute the C# compiler [csc.exe] which timing lines up with the creation of our human2.aspx backdoor.”
  • [T1041] Exfiltration – The backdoor can leak data (Azure information) and return a gzip stream of files, owners, and sizes, indicating data exfiltration capabilities. “leak Azure information via response header and return a GZIP stream of all files, file owners and file sizes, and institution data present in MOVEit.”

Indicators of Compromise

  • [Files] C:MOVEitTransferwwwroothuman2.aspx, App_Web_wrpngvm2.dll
  • [IP addresses] 89.39.105.108 (WorldStream), 5.252.190.0/24, and 4 more IPs
  • [URLs/Endpoints] /guestaccess.aspx, /api/v1/token, /moveitisapi/moveitisapi.dll
  • [Processes] w3wp.exe, csc.exe

Read more: https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint