[Initially posted at 22:43 UTC on 5 June 2023)

Sophos X-Ops is tracking a developing situation around a SQL injection vulnerability affecting MOVEit Transfer and MOVEit Cloud. The vulnerability related to this is CVE-2023-34362.

This page provides a situation overview and guidance from SophosLabs and MDR.

We will update this page as events and understanding, including our threat and detection guidance, develop.

Situation Overview

On May 31, 2023, Progress Software released a patch for CVE-2023-34362, a SQL injection vulnerability that could enable attackers to gain complete control over a MOVEit installation. (MOVEit is compliance-aware secure file transfer and automation software.) With this level of access, attackers could alter or steal data, install malicious software such as web shells, and/or alter the configuration of the server (including creating new accounts or altering existing ones), among other actions.

As discussed in the Progress advisory for on-premises customers, all MOVEit on-premises customers should apply the mitigations discussed in the advisory as soon as possible and deploy the patch as soon as possible after that. MOVEit cloud customers should read and follow the guidance in the Progress advisory for cloud customers.

Public reports indicate that attacks against this vulnerability were true “zero-day attacks” and may have begun as early as May 27, 2023 — before a patch was available or the vulnerability publicly disclosed or discussed.

These reports also indicate that known attacks against this vulnerability have focused on creating web shells on vulnerable systems and using that access to steal data from compromised systems.

On June 4, 2023, Microsoft Threat Intelligence attributed these attacks to “Lace Tempest,” known for ransomware operations & running the Cl0p extortion site. Lace Tempest is also tracked in the industry as FIN11, DEV-0950, and TA505.

Currently SophosLabs and MDR are seeing a very low number of attacks. This correlates with the findings of other security vendors.

We can also confirm that a key indicator of the known public attacks is the presence of a web shell:

c:MOVEit Transferwwwroothuman2.aspx

Sophos products currently detect and protect against this web shell.

SophosLabs and MDR are not aware of any other signs of attack against this vulnerability currently.

All MOVEit customers should follow the steps outlined in the “Guidance” section below.

Of particular note: Since attacks began before a patch was available, all MOVEit customers should check for signs of compromise beyond those publicly discussed, as attacks could have happened before patching using methods not yet publicly identified. Also, it’s important to note that patching will NOT remove any web shells or other artifacts of compromise. This makes it critical that MOVEit customers include a check for compromise after deploying patches IN ADDITION to deploying patches. Patching alone is NOT sufficient.

Guidance

• MOVEit on-premises customers: Apply the mitigations discussed in the advisory as soon as possible and deploy the patch as soon as possible after that as directed in the guidance for Progress advisory for on-premises customers.
• MOVEit cloud customers: Read and follow the guidance in the Progress advisory for cloud customers.
• All MOVEit customers: Check for signs of malicious activity and take appropriate remediation action if such activity is detected.

Detection Protection

SophosLabs has blocked the malicious domains and published the following detections:

Static detections:

• Troj/WebShel-GO

Resources

More information on this emerging situation can be found on Sophos Naked Security.