MOVEit software vulnerability allows installing ransomware and is not just sql injection

Since last Thursday, security researchers have been sounding the alarm about a newly discovered flaw in the MOVEit Transfer solution offered by Progress Software. This flaw has been given the identifier CVE-2023-34362. Using SFTP, SCP, and HTTP-based uploads, MOVEit Transfer is a managed file transfer (MFT) solution that enables the corporation to securely transmit data between business partners and customers.

On the same day, a researcher from Huntress, a managed cyber security platform, validated the vulnerability in MOVEit with the SQL injection that enables an adversary to upload or exfiltrate data.

Later on Sunday, Microsoft made the connection between the Clop ransomware gang and previous attacks that stole data from enterprises by taking use of a zero-day vulnerability in the MOVEit Transfer platform.Today, researchers working on the Huntress project brought their research and exploit up to date, adding the capability of Remote Code Execution as well as ransomware.

The researcher has also distributed a video proof-of-concept (POC) for the attack, which demonstrates how the vulnerability can be used to get shell access using Meterpreter, elevate privileges to NT AUTHORITYSYSTEM, and trigger a cl0p ransomware payload. Huntress provided a description of the vulnerability and said that any adversary who was not authorized might trigger the attack, which would then immediately install ransomware or do any other kind of malicious activity. Code that may be considered malicious would execute under the MOVEit service account user moveitsvc, which is a member of the local administrators group. The adversary might circumvent antivirus safeguards or accomplish any other kind of code execution.

“It is not required for attackers to behave in the manner that was noticed by the industry, namely inserting a human2.aspx webshell, in order to compromise the MOVEit Transfer software. It is “an option” that this particular threat choose to deploy for persistence, yet the attack vector has the capability to immediately unleash ransomware. Some have already openly revealed to attackers that they have shifted their focus to other file names. – in addition to that, they said.