MOVEit Transfer Exploited to Drop File-Stealing SQL Shell

By Alex Delamotte and James Haughom

SentinelOne has observed in-the-wild (ITW) exploitation of CVE-2023-34362, a vulnerability in the MOVEit file transfer server application. The attack delivers a Microsoft IIS .aspx payload that enables limited interaction between the affected web server and connected Azure blob storage. On June 5, the Cl0p ransomware group claimed responsibility for these attacks, though SentinelOne notes the targeting of a file transfer application vulnerability resembles other exploitation conducted by financially motivated actors throughout early 2023.

In this post, we provide technical details of the attack chain along with hunting queries and a PowerShell script that can be used to scan for potential exploitation of the MOVEit Transfer vulnerability.

Overview

Through the last week of May and early June 2023, SentinelOne observed active exploitation of Windows servers running a vulnerable version of Progress Software’s MOVEit Transfer file server application. The attack delivers a minimal webshell that the attacker can use to exfiltrate the contents of files, including files hosted in Microsoft Azure when the targeted MOVEit instance is configured to use Azure’s blob storage service. As of June 5, the Cl0p ransomware group claimed responsibility for these campaigns.

While exploitation is likely opportunistic, SentinelOne observed attacks against more than 20 organizations in the following sectors, with Managed Security Service Providers (MSSP) and Managed Information Technology Service Providers (MSP) impacted most frequently:

  • Aviation, Transportation & Logistics
  • Entertainment
  • Financial Services & Insurance
  • Healthcare, Pharmaceuticals & Biotechnology
  • Managed Information Technology Service Providers (MSP)
  • Managed Security Service Providers (MSSP)
  • Manufacturing & Building Materials
  • Mechanical Engineering
  • Print & Digital Media
  • Technology
  • Utilities & Public Services

The vulnerability impacts the following versions of MOVEit Transfer:

  • MOVEit Transfer 2023.0.0: fixed in 2023.0.1
  • MOVEit Transfer 2022.1.x: fixed in 2022.1.5
  • MOVEit Transfer 2022.0.x: fixed in 2022.0.4
  • MOVEit Transfer 2021.1.x: fixed in 2021.1.4
  • MOVEit Transfer 2021.0.x: fixed in 2021.0.6

Technical Details

These attacks are conducted against Windows servers running a vulnerable version of the MOVEit file transfer application, which attackers can identify through port scanning or internet indexing services like Shodan.

Progress Software recently published an advisory detailing a vulnerability in MOVEit Transfer that could enable privilege escalation and unauthorized access to the targeted environment. The advisory details the issue as a SQL injection vulnerability-reported as CVE-2023-34362–which can allow an unauthorized attacker to inject SQL commands and obtain information from the targeted database.

The attack chain leverages this vulnerability to conduct an arbitrary file upload via the moveitsvc service account to the server’s \MOVEitTransfer\wwwroot\ directory. The system’s svchost.exe process launches w3wp.exe, a Microsoft Internet Information Service (IIS) worker process, which then writes several files to a new working directory in Temp. The working directory and subsequent files share the same 8-character, pseudo-random naming syntax, with one example writing the following files:

C:\Windows\Temp\royq2cir
C:\Windows\Temp\royq2cir\royq2cir.tmp
C:\Windows\Temp\royq2cir\royq2cir.0.cs
C:\Windows\Temp\royq2cir\royq2cir.dll
C:\Windows\Temp\royq2cir\royq2cir.cmdline
C:\Windows\Temp\royq2cir\royq2cir.out
C:\Windows\Temp\royq2cir\royq2cir.err

The w3wp.exe process launches csc.exe to compile the C# code into the payload, which is saved as human2.aspx. The payload is a minimal webshell that queries information about the database configuration, enabling the actor to:

  • Connect to specified SQL databases
  • Exfiltrate the contents of files hosted by MOVEit Transfer
  • When MOVEit Transfer is connected to Azure blob storage, exfiltrate contents of specific files in Azure’s blob storage service

To exfiltrate files, the attacker can specify the targeted object’s File ID and Folder ID in HTTP headers of a request made to the webshell. The shell then returns the specified file’s content as a Gzip object in the server’s HTTP response. The shell also deletes the existing user named “Health Check Service” and creates a new user with the same username, likely as a means of persistence.

Mitigation & Prevention

Organizations using MOVEit Transfer should upgrade affected systems immediately. In situations where upgrades cannot be performed, the system should be taken offline until it can be upgraded. Ensure your security team can access and analyze application logs from servers that run MOVEit Transfer, including Microsoft IIS logs.

Because exploitation occurs through interaction with MOVEit Transfer at the application level, detection opportunities for Endpoint Detection & Response (EDR) tooling are limited to later-stage activity. SentinelOne notes that each payload is dynamically compiled at runtime, resulting in a unique hash for each victim. While we are providing a list of hashes associated with payloads delivered through these campaigns, organizations should not rely on hashes alone to detect these attacks.

We recommend that organizations using MOVEit Transfer conduct threat hunts and log analysis using the resources provided below.

Hunting Queries

SentinelOne is providing the following queries that organizations can use to hunt for activity associated with these attacks. While these queries are not necessarily inclusive of all attack scenarios, the results should be investigated and triaged. Additionally, defenders should look for unusual activity initiated by the MOVEit Transfer service account: the default value is moveitsvc, though some instances may have a custom account name.

Query Description
S1QL: SrcProcName = "w3wp.exe" AND TgtProcName = "csc.exe" AND SrcProcCmdLine Contains Anycase "moveitdmz pool" Identify instances of the compilation of DLLs related to MOVEit’s app pool
S1QL: IndicatorName = "LoadUnrelatedLibrary" AND IndicatorMetadata Contains "w3wp.exe" AND SrcProcName StartsWith "DMZ" Identify potential anomalous library loads by IIS worker process
S1QL: EventType In ("File Creation", "File Modification") AND SrcProcName Contains Anycase "w3wp.exe" And TgtFilePath RegExp "\\moveit[^\\]+" And TgtFilePath Contains Anycase "wwwroot" And TgtFileExtension = "aspx" Identify IIS worker process writing a new or modifying an existing ASPX file in the MoveIT web folder
S1PQ: src.process.parent.name = "w3wp.exe" AND src.process.parent.cmdline contains "moveit" AND src.process.name = "csc.exe" AND src.process.cmdline contains "Temporary ASP.NET Files" AND (tgt.process.name = "cvtres.exe" OR tgt.file.path matches '.*?App_Web_[a-z0-9A-Z]{1,40}\.dll$') Indicates the presence of a compiled backdoor

In addition to these queries, SentinelOne is providing a script to scan for potential exploitation of the MOVEit Transfer vulnerability.

Conclusion

Based on the activity observed by SentinelOne, we believe the attacker’s goal is to establish access to as many victim environments as possible to conduct file exfiltration at scale.

While the Cl0p ransomware group claimed credit for these attacks, SentinelOne notes that these techniques align with a broader trend of financially motivated attacks against web servers running vulnerable file transfer software. This category of activity includes attacks against Aspera Faspex software that delivered IceFire ransomware earlier in 2023, as well as attacks attributed to Cl0p that exploited a 0-day flaw in the GoAnywhere managed file transfer (MFT) application. Based on the relative increase in file transfer server attacks that use 0-day and N-day exploits, there is likely an abundant exploit development ecosystem focused on enterprise file transfer applications.

The actor’s choice to use the MOVEit flaw to target files in Azure cloud storage is notable, if this activity is solely associated with the Cl0p ransomware group. Cloud-focused extortion actors like Bianlian and Karakurt use multipurpose file management tools like Rclone and Filezilla. A bespoke webshell designed to steal Azure files through SQL queries specific to the targeted environment represents a notable departure from this established norm and suggests the tooling was likely developed and tested well in advance of ITW attacks.

Indicators of Compromise

Files associated with exploitation of vulnerable MOVEit Transfer instances include the following.

SHA1
d013e0a503ba6e9d481b9ccdd119525fe0db7652
34d4b835b24a573863ebae30caab60d6070ed9aa
c8e03cb454034d5329d810bbfeb2bd2014dac16d
eee9451901badbfbcf920fcc5089ddc1ee4ec06d
73f19114d61bd09789788782f407f6fe1d6530b9
7d91f5b03932793ff32ad99c5e611f1e5e7fe561
a2f74b02f29f5b1a9fe3efe68c8f48c717be45c2
c756c290729981d3804681e94b73d6f0be179146
11608a031358817324568db9ece1f09e74de4719
b8704c96436ffcbd93f954158fa374df05ddf7f6

Update: On June 14, 2023, the Cl0p actors started adding alleged MoveIT victim names to the leaks site. On June 19, Cl0p began leaking data stolen from victims. Details continue to emerge and the overall scope of these attacks remains to be seen.