9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.8 High
EPSS
Percentile
97.8%
On May 31, the Progress Software Corporation released a security advisory warning customers of a vulnerability in internet-facing and on-premises instances of their MOVEit Transfer solution, which could lead to escalated privileges and potential unauthorized access to an environment. The vulnerability, CVE-2023-34362, has been actively exploited since May 27, but the threat actors may have begun experimenting to compromise it as early as 2021.
As of late May, there were approximately 2,500 exposed MOVEit instances primarily located in the U.S., according to public reporting, highlighting its prevalence in enterprise environments.
The MOVEit Transfer vulnerability, CVE-2023-34362, covers multiple flaws that an attacker can chain together to achieve RCE with elevated privileges. The first part of the exploit chain uses SQL injection to obtain a sysadmin API token. That token can then be used to call a deserialization function that does not properly validate input, allowing for remote code execution.
A second vulnerability, CVE-2023-35036, was assigned and Progress Software released patches and an advisory addressing this issue. Patches for CVE-2023-35036 are meant to mitigate multiple parts of the successful exploit chain initially discovered to have been used during the exploitation of the first vulnerability, CVE-2023-34362.
On June 15, 2023, another vulnerability was identified, CVE-2023-35708. Progress Software is in the process of releasing installable patches for this issue although DLL drop-ins.
The Clop ransomware group released a public statement on their Tor data leak site on June 5, claiming responsibility for the attacks and threatening to publish victims' data if the extortion demand is not paid. The group provided a deadline of June 14 for victims to initiate contact or else their company name would be posted on the data leak site as a warning. At this time, no data has been published but they have begun publicly naming and shaming affected companies.
In this activity, the Clop ransomware group exploited CVE-2023-34362 to install a previously unknown web shell now dubbed "LemurLoot".
Written in C#, LemurLoot is designed to exfiltrate data and execute on systems running MOVEit Transfer. The web shell is deployed with a hardcoded, 36-character GUID-formatted value used to authenticate incoming connection requests from the threat actor. The authentication code value must be present in the "X-siLock-Comment" header field without which an HTTP 404 error code will be returned to the operator. If the value is correct, the web shell confirms it can accept taskings and connects to an attacker-controlled SQL server.
LemurLoot uses the header field "X-siLock-Step1' to receive the commands from the operator. There are two well-defined commands: -1 and -2. The fields "X-siLock-Step2' and "X-siLock-Step3" are used to hold parameters to be used when no command has been defined.
_Command "-1": LemurLoot retrieves Azure system settings from MOVEit Transfer and performs SQL queries to retrieve files. _
Command "-2": LemureLoot deletes a user account with the LoginName and RealName set to "Health Check Service".
For any other values of "X-siLock-Step1," the web shell will open a file specified by the folder and file name in "X-siLock-Step2", and "X-siLock-Step3" respectively and retrieve it for the operator.
If no values of "X-siLock-Step2" and "X-siLock-Step3" are specified, then the web shell creates the "Health Check Service" admin user and creates an active session.
Progress Software Corporation offers several mitigations for safeguarding against potential exploitation of this vulnerability and best practices for network security:
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco Talos is releasing the following Snort SIDs to protect against this threat:
Snort 2:
Snort 3:
The following ClamAV signatures have been released to detect malware artifacts related to this threat:
702421bcee1785d93271d311f0203da34cc936317e299575b06503945a6ea1e0
9d1723777de67bc7e11678db800d2a32de3bcd6c40a629cd165e3f7bbace8ead
9e89d9f045664996067a05610ea2b0ad4f7f502f73d84321fb07861348fdc24a
d49cf23d83b2743c573ba383bf6f3c28da41ac5f745cde41ef8cd1344528c195
b1c299a9fe6076f370178de7b808f36135df16c4e438ef6453a39565ff2ec272
6015fed13c5510bbb89b0a5302c8b95a5b811982ff6de9930725c4630ec4011d
48367d94ccb4411f15d7ef9c455c92125f3ad812f2363c4d2e949ce1b615429a
2413b5d0750c23b07999ec33a5b4930be224b661aaf290a0118db803f31acbc5
e8012a15b6f6b404a33f293205b602ece486d01337b8b3ec331cd99ccadb562e
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.8 High
EPSS
Percentile
97.8%