how Cl0p exploited MoveIt transfer vulnerability

1️⃣ MOVEit Transfer is a popular platform used by organizations to manage their file transfer operations. It supports MySQL, Microsoft SQL Server, and Azure SQL database engines.

2️⃣ In May 2023, the CL0P ransomware group exploited a SQL injection zero-day vulnerability, identified as CVE-2023-34362. They used this vulnerability to install a web shell called LEMURLOOT on MOVEit Transfer web applications.

3️⃣ The web shell was initially observed with the name “human2.aspx” to deceive users, making it appear as the legitimate “human.aspx” file that is part of the MOVEit Transfer software.

4️⃣ Upon installation, the web shell generates a random 36-character password for authentication purposes.

5️⃣ The web shell communicates with its operators by awaiting HTTP requests that include a header field called X-siLock-Comment. This field must have a value matching the password established during the web shell’s installation.

🚨 Your security is our top priority. If you are using MOVEit Transfer, we strongly recommend taking immediate action. Update your software to the latest version and apply any available security patches.

Should you require assistance or have any concerns, feel free to reach out to our dedicated support team. Stay proactive and stay safe online! 🔒✨