Horizon3 security researchers have recently made public a proof-of-concept (PoC) exploit code for a remote code execution (RCE) vulnerability in the MOVEit Transfer managed file transfer (MFT) solution. This bug has been previously exploited by the Clop ransomware group in data theft attacks. The critical flaw, identified as CVE-2023-34362, is an SQL injection vulnerability that allows unauthenticated attackers to access unpatched MOVEit servers and execute arbitrary code remotely.
Progress, the company behind MOVEit, released security updates to fix the bug on May 31, shortly after the Clop ransomware gang started exploiting it as a zero-day. They urged all customers to apply the updates immediately to prevent exploitation attempts. Horizon3 published the PoC exploit and a technical analysis of the vulnerability on Friday, along with a list of indicators of compromise (IOCs) that network defenders can use to identify exploitation attempts on vulnerable servers.
The researchers from Horizon3 explained, "This POC abuses an SQL injection to obtain a sysadmin API access token and then use that access to abuse a deserialization call to obtain remote code execution." They further explained that the PoC needs to connect to an Identity Provider endpoint hosting proper RS256 certificates used to forge arbitrary user tokens, and by default, the PoC uses their IDP endpoint hosted in AWS.
With the public release of this RCE PoC exploit, it is anticipated that more threat actors will quickly adopt it for attacks or develop their own custom versions to target any remaining unpatched servers accessible via the internet. However, due to extensive media coverage of the attacks exploiting this vulnerability, the number of unsecured MOVEit Transfer servers on the internet is expected to have significantly decreased since Clop started exploiting the bug.
The Clop ransomware gang has taken responsibility for the data-theft attacks that exploited the CVE-2023-34362 MOVEit Transfer zero-day, claiming to have impacted "hundreds of companies." Microsoft has also linked the gang to these attacks, attributing the data theft campaign to the Lace Tempest hacking group, which has connections to FIN11 and TA505 activity. A report by Kroll suggests that Clop has been actively looking for opportunities to exploit the patched MOVEit zero-day vulnerability since 2021 and searching for ways to extract data from compromised MOVEit servers since at least April 2022.
Among the organizations that have reported data breaches following these attacks are the EY British multinational, the Irish Health Service Executive (HSE) public healthcare system, UK-based payroll and HR solutions provider Zellis, and some of its customers, such as UK's flag carrier British Airways, Irish flag carrier Aer Lingus, and the Minnesota Department of Education. The cybercrime group has a history of targeting vulnerabilities in multiple managed file transfer platforms over the past few years. Notable examples include the zero-day breach of Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed File Transfer attacks, and the exploitation of a GoAnywhere MFT zero-day in widespread attacks in January 2023.
On Friday, Progress patched and alerted customers of new critical SQL injection vulnerabilities in MOVEit Transfer, which could allow unauthenticated attackers to steal information from customers' databases.