Summary
On May 31, 2023, Progress Software Corporation publicly disclosed a critical SQL injection vulnerability (CVE-2023-34362) in their MOVEit Transfer application. This vulnerability poses a risk of unauthorized access to the underlying database. Progress Software Corporation, a provider of business applications, advises customers to promptly apply patches and follow the mitigation measures outlined in their security advisory. Microsoft has detected active exploitation of these vulnerabilities by a cybercriminal group identified as Lace Tempest (DEV-0950) since May 27, 2023.
Lace Tempest is notorious for engaging in ransomware attacks, extortion operations, and operating the Clop ransomware extortion site. Exploiting the vulnerability allows the deployment of a custom web shell with data exfiltration capabilities on the compromised server. In some instances, Lace Tempest has successfully exfiltrated files from MOVEit Transfer servers. Historical cases involving similar vulnerabilities exploited by Lace Tempest in other enterprise file transfer software have resulted in stolen data being extorted and posted on the Clop leak site.
Impacted Technologies:
- Users of MOVEit Transfer 2023.0.0 should install MOVEit Transfer 2023.0.1.
- Users of MOVEit Transfer 2022.1.x should install MOVEit Transfer 2022.1.5.
- Users of MOVEit Transfer 2022.0.x should install MOVEit Transfer 2022.0.4.
- Users of MOVEit Transfer 2021.1.x should install MOVEit Transfer 2021.1.4.
- Users of MOVEit Transfer 2021.0.x should install MOVEit Transfer 2021.0.6.
Threat Hunting:
- Search for the malicious web shell specific to the Lace Tempest activity running under the w3wp.exe process.
- The Initiating Process File Name field should contain “w3wp.exe”. This filters the events to those where the initiating process is named “w3wp.exe”.
- The File Name field should contain “human2.aspx”. This filters the events to those where the file name includes “human2.aspx”.
- Search for generic web shell creation after the release of the exploit
- The Action Type should be “File Created”. This filters the events to those where a file was created.
- The Folder Path should contain “C:\MOVEitTransfer\wwwroot”. This filters the events to those where the folder path includes this specific value.
- The File Name should end with either “aspx” or “asp”. This further narrows down the events to those where the file name ends with either of these extensions.
Indicators of compromise:
| 162.244.34.26 | 162.244.35.6 | 179.60.150.143 | 185.104.194.156 |
| 185.104.194.24 | 185.104.194.40 | 185.117.88.17 | 185.162.128.75 |
| 185.174.100.215 | 185.174.100.250 | 185.181.229.240 | 185.181.229.73 |
| 185.183.32.122 | 185.185.50.172 | 188.241.58.244 | 193.169.245.79 |
| 194.33.40.103 | 194.33.40.104 | 194.33.40.164 | 206.221.182.106 |
| 209.127.116.122 | 209.127.4.22 | 45.227.253.133 | 45.227.253.147 |
| 45.227.253.50 | 45.227.253.6 | 45.227.253.82 | 45.56.165.248 |
| 5.149.248.68 | 5.149.250.74 | 5.149.250.92 | 5.188.86.114 |
| 5.188.86.250 | 5.188.87.194 | 5.188.87.226 | 5.188.87.27 |
| 5.34.180.205 | 62.112.11.57 | 62.182.82.19 | 62.182.85.234 |
| 66.85.26.215 | 66.85.26.234 | 66.85.26.248 | 79.141.160.78 |
| 79.141.160.83 | 84.234.96.31 | 89.39.104.118 | 89.39.105.108 |
| 91.202.4.76 | 91.222.174.95 | 91.229.76.187 | 93.190.142.131 |
References
https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023