How to Protect Against the MOVEit Transfer Exploit
Morphisec’s Oren Dvoskin delves into everything we need to know about this vulnerability
Cybertech
| 26/06/2023
Illustration: Annette Riedl/dpa via REUTERS
The US Cybersecurity and Infrastructure Security Agency (CISA) admitted it is providing support to several Federal agencies that were breached following vulnerabilities exposed in the Progress (formerly Ipswitch) MOVEit Transfer solution. According to an alert and cybersecurity advisory published by CISA, the CL0P Ransomware Gang has been actively exploiting the vulnerabilities for data exfiltration and to execute remote commands on the target machines.
What we know about the MOVEit transfer vulnerability
First disclosed on May 31st 2023, Progress security confirmed three critical vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) that can allow threat actors to attain escalated privileges and unauthorized access to the environment. In their advisory, Progress described immediate steps all MOVEit customers should deploy to remediate the vulnerability.
A technical analysis by CISA reveals that in May 2023, the CL0P group began exploiting the SQL injection vulnerability to install a web shell named LEMURLOOT on MOVEit servers, dropped as ‘human2.aspx’, and later renamed to ‘human.aspx’ (VirusTotal). The webshell, specifically designed to target the MOVEit platform, is a toolkit that includes multiple operational capabilities, including downloading files, as well as executing and manipulating Azure system settings, including the creation of admin users.
The impact of the vulnerability is widespread. MOVEit Transfer is a popular Managed File Transfer (MFT) solution used by thousands of enterprises, primarily in the United States, including government agencies, banks, software vendors, and other organizations. Victims, including Shell, the University Systems of Georgia, the BBC, and British Airways began receiving ransom notes to prevent publishing the exfiltrated data.
Targeting Managed File Transfer (MFT) solutions
Managed File Transfer solutions and Secure MFT (sMFT) are used to secure and automate the transfer of data and documents across and between organizations. The solutions are typically deployed by large organizations to enable the secure sharing of sensitive information, often connecting public-facing interfaces, with content stored in internal and sensitive networks.
The Russian-based CL0P (Clop) hacking group (TA505), allegedly exploited vulnerabilities in other MFT solutions, including Acellion’s FTA in 2020 and 2021, and Fortra’s GoAnywhere MFT solution earlier in 2023 (CVE-2023-0669).
MFT solutions are tempting targets for threat actors. Compromising them allows access to information that was supposed to be safeguarded by the solutions; achieving control over the target machines enables access into the protected victim networks.
This enables threat actors like CL0P to employ “double extortion” tactics which allow data stealing and ransomware execution across target machines using the control which was achieved.
The exploited vulnerabilities serve as an entry point for the threat actors to execute the later stages of the attack. Once the initial phase is complete, attackers establish C2 communications, allowing them to drop payloads to execute the later phases. In previous incidents, CL0P has been observed to use Truebot, which subsequently downloads Cobalt Strike and FlawedGrace beacons.
The MOVEit Transfer attack stages. Modified from: Forescout (https://www.forescout.com/wp-content/uploads/2023/06/CVE-2023-34362.png)
While the initial stage of the attack exploits new vulnerabilities, the next phase drops malicious payloads using evasive and in-memory techniques to bypass detection by the resident endpoint protection solutions.
Recommended actions
Immediate mitigations include applying the security patches and following the instructions published by Progress (MOVEit), and updating IOCs, as published by CISA.
Written by Oren Dvoskin, Morphisec. To the original blog post
Morphisec’s Oren Dvoskin delves into everything we need to know about this vulnerability
Illustration: Annette Riedl/dpa via REUTERS
The US Cybersecurity and Infrastructure Security Agency (CISA) admitted it is providing support to several Federal agencies that were breached following vulnerabilities exposed in the Progress (formerly Ipswitch) MOVEit Transfer solution. According to an alert and cybersecurity advisory published by CISA, the CL0P Ransomware Gang has been actively exploiting the vulnerabilities for data exfiltration and to execute remote commands on the target machines.
What we know about the MOVEit transfer vulnerability
First disclosed on May 31st 2023, Progress security confirmed three critical vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) that can allow threat actors to attain escalated privileges and unauthorized access to the environment. In their advisory, Progress described immediate steps all MOVEit customers should deploy to remediate the vulnerability.
A technical analysis by CISA reveals that in May 2023, the CL0P group began exploiting the SQL injection vulnerability to install a web shell named LEMURLOOT on MOVEit servers, dropped as ‘human2.aspx’, and later renamed to ‘human.aspx’ (VirusTotal). The webshell, specifically designed to target the MOVEit platform, is a toolkit that includes multiple operational capabilities, including downloading files, as well as executing and manipulating Azure system settings, including the creation of admin users.
The impact of the vulnerability is widespread. MOVEit Transfer is a popular Managed File Transfer (MFT) solution used by thousands of enterprises, primarily in the United States, including government agencies, banks, software vendors, and other organizations. Victims, including Shell, the University Systems of Georgia, the BBC, and British Airways began receiving ransom notes to prevent publishing the exfiltrated data.
Targeting Managed File Transfer (MFT) solutions
Managed File Transfer solutions and Secure MFT (sMFT) are used to secure and automate the transfer of data and documents across and between organizations. The solutions are typically deployed by large organizations to enable the secure sharing of sensitive information, often connecting public-facing interfaces, with content stored in internal and sensitive networks.
The Russian-based CL0P (Clop) hacking group (TA505), allegedly exploited vulnerabilities in other MFT solutions, including Acellion’s FTA in 2020 and 2021, and Fortra’s GoAnywhere MFT solution earlier in 2023 (CVE-2023-0669).
MFT solutions are tempting targets for threat actors. Compromising them allows access to information that was supposed to be safeguarded by the solutions; achieving control over the target machines enables access into the protected victim networks.
This enables threat actors like CL0P to employ “double extortion” tactics which allow data stealing and ransomware execution across target machines using the control which was achieved.
The exploited vulnerabilities serve as an entry point for the threat actors to execute the later stages of the attack. Once the initial phase is complete, attackers establish C2 communications, allowing them to drop payloads to execute the later phases. In previous incidents, CL0P has been observed to use Truebot, which subsequently downloads Cobalt Strike and FlawedGrace beacons.
The MOVEit Transfer attack stages. Modified from: Forescout (https://www.forescout.com/wp-content/uploads/2023/06/CVE-2023-34362.png)
While the initial stage of the attack exploits new vulnerabilities, the next phase drops malicious payloads using evasive and in-memory techniques to bypass detection by the resident endpoint protection solutions.
Recommended actions
Immediate mitigations include applying the security patches and following the instructions published by Progress (MOVEit), and updating IOCs, as published by CISA.
Written by Oren Dvoskin, Morphisec. To the original blog post
