The MOVEit Attack: ‘Human2’ Fingerprint
The group behind Cl0p has used a number of vulnerabilities in file transfer services, such as GoAnywhere MFT in January (CVE-2023-0669), and the MOVEit managed file transfer platforms in late May and early June (CVE-2023-34362).
Initially, the attackers installed a web shell, named LEMURLOOT, using the name “human2.aspx” and used commands sent through HTTP requests with the header field set to “X-siLock-Comment”. The advisory from the Cybersecurity and Infrastructure Security Agency also includes four YARA rules for detecting a MOVEit breach.
The attack also leaves behind administrative accounts in associated databases for persistence — even if the Web server has been completely reinstalled, the attackers can revive their compromise. Sessions in the “activesessions” database with Timeout = ‘9999’ or users in the User database with Permission = ‘30’ and Deleted = ‘0’ may indicate an attacker activity, according to CrowdStrike.
One hallmark of the MOVEit attack, however, is that often few technical indicators are left behind. The extended success of the Cl0p attack against MOVEit managed file transfer software and the difficulty in finding indicators of compromise shows that product vendors need to spend additional effort on ensuring that forensically useful logging is available, says Caitlin Condon, a security manager with vulnerability-management firm Rapid7.