Introduction
Itron, Inc., a major player in the utility and energy sector, recently filed an 8-K with the U.S. Securities and Exchange Commission (SEC) disclosing a cybersecurity incident involving unauthorized access to internal IT systems. This disclosure is the latest ripple in the widespread wave of attacks targeting the critical infrastructure supply chain.
For defenders, this is not a theoretical exercise. Itron's systems manage metering and critical infrastructure data. The confirmed vector in this campaign is the exploitation of CVE-2023-34362, a critical SQL injection vulnerability in Progress Software’s MOVEit Transfer. The Cl0p ransomware gang has aggressively utilized this vulnerability to exfiltrate data from organizations worldwide. Utility providers and any entity running MOVEit Transfer are in the crosshairs. Immediate action is required to identify if the web shell has been planted and to eject the adversary.
Technical Analysis
Affected Products:
- Progress MOVEit Transfer (all versions prior to 2023.0.5, 2023.1.4, and 2023.2.0)
- Progress MOVEit Cloud (managed by Progress, patched June 2023)
Vulnerability Details:
- CVE Identifier: CVE-2023-34362
- CVSS Score: 9.8 (Critical)
- Attack Vector: Network
Mechanism of Exploitation: The vulnerability is a SQL injection (SQLi) flaw in the MOVEit Transfer web application. The attacker crafts a malicious HTTP request targeting a specific endpoint. Due to insufficient input sanitization, the attacker can inject arbitrary SQL commands into the backend database.
In the specific campaign targeting Itron and others, the attacker uses this SQLi capability to gain xp_cmdshell execution rights on the underlying SQL Server. Once command execution is achieved, the attacker drops a web shell—often disguised as legitimate files such as human2.aspx or guestaccess.aspx—into the web root. This web shell provides persistent remote access, allowing the attacker to enumerate files, move laterally, and exfiltrate data using standard HTTP(S) traffic that blends in with normal web server operations.
Exploitation Status: Confirmed active exploitation (ITW). This vulnerability is included in the CISA Known Exploited Vulnerabilities (KEV) Catalog. Proof-of-Concept (PoC) code is public, and automated mass-exploitation scanning is ongoing.
Detection & Response
This incident requires a hunt-centric approach. You cannot rely solely on AV/EDR; the attackers are living 'off the land' using the database and web server processes.
Sigma Rules
The following Sigma rules detect the SQLi injection attempts characteristic of CVE-2023-34362 and the subsequent web shell activity.
---
title: Itron MOVEit Transfer CVE-2023-34362 Exploitation Attempt
id: 2d8b1c9e-a4f3-4b2a-9f1d-8c7e6b5a4d3c
status: experimental
description: Detects the specific SQL injection pattern used to exploit MOVEit Transfer (CVE-2023-34362) via the HTTP request.
references:
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023
author: Security Arsenal
date: 2024/04/19
tags:
- attack.initial_access
- attack.t1190
- cve.2023.34362
logsource:
category: webserver
product: moveit_transfer
detection:
selection:
c_uri|contains:
- 'api/v1/transfer'
cs_method: POST
cs_uri_query|contains:
- 'X-silock-ShiftSelect='
- 'X-silock-SourceDescription='
condition: selection
falsepositives:
- None known
level: critical
---
title: MOVEit Transfer Web Shell Deployment human2.aspx
id: 1a2b3c4d-5e6f-7g8h-9i0j-1k2l3m4n5o6p
status: experimental
description: Detects the creation or request of known web shell artifacts associated with MOVEit exploitation.
references:
- https://www.microsoft.com/en-us/security/blog/2023/06/15/microsoft-investigates-clop-ransomware-exploiting-moveit-vulnerability/
author: Security Arsenal
date: 2024/04/19
tags:
- attack.persistence
- attack.t1505.003
- cve.2023.34362
logsource:
category: webserver
product: moveit_transfer
detection:
selection:
c_uri|endswith:
- '/human2.aspx'
- '/guestaccess.aspx'
condition: selection
falsepositives:
- Legitimate administrative access (unlikely for these specific filenames)
level: high
KQL (Microsoft Sentinel / Defender)
Hunt for signs of the web shell and data exfiltration in your network logs.
// Hunt for suspicious MOVEit file access and web shell indicators
DeviceNetworkEvents
| where ActionType in ("ConnectionAccepted", "ConnectionSuccess")
| where RemoteUrl endswith ".aspx"
| extend File = split(RemoteUrl, "/")[-1]
| where File in~ ("human2.aspx", "guestaccess.aspx", "machine2.aspx")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
Velociraptor VQL
Endpoint forensics are critical to confirm if the web shell persists on disk.
-- Hunt for MOVEit Transfer web shell artifacts on the file system
SELECT FullPath, Size, Mtime, Atime, Mode
FROM glob(globs='C:\**\MOVEitTransfer\wwwroot\*.aspx')
WHERE Name =~ "human2.aspx"
OR Name =~ "guestaccess.aspx"
OR Name =~ "machine2.aspx"
Remediation Script (PowerShell)
Use this script to audit MOVEit Transfer installations for known indicators of compromise (IOCs) related to this specific campaign.
# Audit for MOVEit Transfer CVE-2023-34362 IOCs
# Requires Administrative privileges
Write-Host "[*] Starting Audit for MOVEit Transfer IOCs..."
$WebRoots = @(
"C:\Program Files\MOVEit Transfer\wwwroot",
"C:\MOVEitTransfer\wwwroot", # Common default locations
"D:\MOVEitTransfer\wwwroot"
)
$IOC_Files = @("human2.aspx", "guestaccess.aspx", "machine2.aspx")
foreach ($Root in $WebRoots) {
if (Test-Path $Root) {
Write-Host "[+] Scanning directory: $Root" -ForegroundColor Cyan
foreach ($IOC in $IOC_Files) {
$Path = Join-Path -Path $Root -ChildPath $IOC
if (Test-Path $Path) {
Write-Host "[!!!] CRITICAL: IOC Found at $Path" -ForegroundColor Red
# Get file details
Get-Item $Path | Select-Object FullName, LastWriteTime, Length
}
}
}
}
# Check for suspicious recent .aspx file creation in the last 30 days
Write-Host "[*] Checking for recently modified .aspx files in MOVEit directories..."
$CutoffDate = (Get-Date).AddDays(-30)
foreach ($Root in $WebRoots) {
if (Test-Path $Root) {
Get-ChildItem -Path $Root -Filter "*.aspx" -Recurse -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt $CutoffDate } |
Select-Object FullName, LastWriteTime, @{Name='AgeDays';Expression={(New-TimeSpan -Start $_.LastWriteTime -End (Get-Date)).Days}} |
Format-Table -AutoSize
}
}
Write-Host "[*] Audit Complete. If IOCs are found, isolate the server and initiate IR procedures." -ForegroundColor Yellow
Remediation
-
Patch Immediately: Apply the latest patches provided by Progress Software. You must update to the fixed versions:
- MOVEit Transfer 2023.0.5 (or later)
- MOVEit Transfer 2023.1.4 (or later)
- MOVEit Transfer 2023.2.0 (or later)
-
Assume Compromise: If your system was unpatched before June 2023, assume the attacker has accessed it. Simply patching the vulnerability does not remove a web shell that was already dropped.
-
Threat Hunt: Review IIS logs (or equivalent web server logs) for the specific SQL injection patterns mentioned in the Technical Analysis section. Look for successful HTTP 200 or 500 responses from POST requests to
api/v1/transfer. -
Credential Rotation: Rotate all credentials used to access the MOVEit Transfer application (database credentials, API keys, and SFTP/FTP user accounts).
-
Official Advisory: Refer to the official Progress Security Advisory for the most up-to-date mitigation steps and file integrity checks: Progress Security Advisory
-
CISA Directive: Per CISA KEV Catalog ED 23-06, federal agencies are required to patch by June 23, 2023. Private sector entities should treat this deadline as a critical benchmark.
Related Resources
Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.