Recent MOVEit Exploits: SQL Injection to Web Shell to Data Exfiltration
In the last few weeks, the security community has been shaken by a series of exploits targeting MOVEit, a popular file transfer software. These incidents have exposed critical vulnerabilities, allowing threat actors to compromise sensitive data and exploit organizations ranging from the BBS to several arms of the US Government.
The Vulnerability – CVE-2023-34362 – SQL injection
The foundation of the MOVEit exploits lies in CVE-2023-34362 (at the time a zero-day exploit). CVE-2023-34362 has been identified by the National Vulnerability Database (NVD) as a critical vulnerability. This security flaw exploits an SQL Injection vulnerability that enables unauthorized access to MOVEit servers, ultimately leading to data theft and unauthorized file transfers.
According to the NIST NVD advisory, “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. . . exploitation of unpatched systems can occur via HTTP or HTTPS.”
The Web Shell
With this vulnerability at their disposal, threat actors have been setting up the web shell called LEMURLOOT, which gives them remote command execution (RCE) capabilities. According to CISA Advisory on the MOVEit exploits, “LEMURLOOT is a web shell written in C# designed to target the MOVEit Transfer platform. The web shell authenticates incoming http requests via a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, and create, insert, or delete a particular user.”
Threat actors have used this combination to gain unauthorized access to sensitive information, jeopardizing the integrity and confidentiality of data within affected organizations.
In the aftermath of the MOVEit exploits, Progress Software, the company behind MOVEit, faces legal repercussions. A class-action lawsuit has been filed against them, highlighting the significance of promptly addressing and mitigating vulnerabilities in software applications. This legal action underscores the importance of robust security measures and the need for accountability in the face of data breaches.
The MOVEit exploits have brought attention to the critical vulnerabilities that can be exploited by threat actors, compromising the security and integrity of organizations’ data. The identified SQL injection vulnerability, CVE-2023-34362, served as the foundation for these exploits, enabling unauthorized access and data exfiltration.
This string of exploits reminds us that being diligent about the security of our applications is critical. In addition to keeping software patched, it is important to use runtime application & API security protection that can identify (and potentially block) known and unknown issues in live traffic, both from external sources and internal sources (once the SQL injection was successful and the web shell put in place, some of the malicious traffic came from internal application components).
Traceable provides API security that sees the traffic between all components of your applications, no matter where they are, and it can not only detect and block SQL injection and RCE attacks, but it can protect your applications from the OWASP web and API Top 10 risks, and detect and flag unusual behavior between application components, such as those performed by the new LEMURLOOT web shell used in these exploits. To learn more about Traceable, visit us at https://traceable.ai.
Traceable is the industry’s leading API Security company that helps organizations achieve API protection in a cloud-first, API-driven world. With an API Data Lake at the core of the platform, Traceable is the only intelligent and context-aware solution that powers complete API security – security posture management, threat protection and threat management across the entire Software Development Lifecycle – enabling organizations to minimize risk and maximize the value that APIs bring to their customers. To learn more about how API security can help your business, book a demo with a security expert.