['alert http ( msg:"MALWARE-BACKDOOR Asp.Backdoor.MoveITShell connection attempt"; http_header; content:"X-siLock-Comment",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; reference:cve,2023-34362; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:url,gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643; classtype:trojan-activity; gid:1; sid:300582; rev:2; )\n', 'alert file ( msg:"MALWARE-BACKDOOR Asp.Backdoor.MoveITShell download attempt"; file_data; content:"Request.Headers[|22|X-siLock-Step3|22|]",fast_pattern,nocase; content:"Delete FROM users WHERE RealName=|27|Health Check Service|27|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; reference:cve,2023-34362; reference:url,community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023; reference:url,gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643; classtype:trojan-activity; gid:1; sid:300583; rev:2; )\n', 'alert http ( msg:"SERVER-WEBAPP MOVEit Transfer moveitisapi.dll server side request forgery attempt"; flow:to_server,established; http_uri; content:"moveitisapi.dll",fast_pattern,nocase; content:"action=m2",nocase; http_header; content:"x-silock-transaction",nocase; content:"X-siLock-Transaction",distance 0,nocase; content:"folder_add_by_path",nocase; content:"session_setvars",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; reference:cve,2023-34362; reference:url,horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; classtype:web-application-attack; gid:1; sid:61936; rev:1; )\n', 'alert http ( msg:"SERVER-WEBAPP MOVEit Transfer moveitisapi.dll SQL injection attempt"; flow:to_server,established; http_uri:path; content:"/MOVEitISAPI.dll",fast_pattern,nocase; http_param:"action",nocase; content:"m2",nocase; http_header; content:"X-siLock-SessVar",nocase; pcre:"/^X-siLock-SessVar[^\\r\\n]*?([\\x27\\x22\\x3b\\x23\\x28]|\\x2f\\x2a|\\x2d\\x2d)/im"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop; reference:cve,2023-34362; reference:url,horizon3.ai/moveit-transfer-cve-2023-34362-deep-dive-and-indicators-of-compromise/; classtype:web-application-attack; gid:1; sid:62231; rev:1; )\n']

Description: In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.

CWE-ID: Not defined
Base Score V3: Not defined
Exploitability Score V3: Not defined
Impact Score V3: Not defined
Cvss Vector V3: Not defined
Configuration:
added:
cpe:2.3:a:progress:moveit_cloud:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:moveit_cloud:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:moveit_cloud:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*
cpe:2.3:a:progress:moveit_transfer:*:*:*:*:*:*:*:*

Reference:
added:
http://packetstormsecurity.com/files/172883/MOVEit-Transfer-SQL-Injection-Remote-Code-Execution.html

Reference:
added:
http://packetstormsecurity.com/files/173110/MOVEit-SQL-Injection.html