Update 6/5/2023 @ 10 AM ET:
Microsoft Points to Clop Ransomware Gang in MOVEit Data-Theft Attacks
Microsoft has discovered a link between a well-known cybercriminal group called Clop and a recent series of attacks on the MOVEit Transfer platform. The attacks made use of a security flaw (called a ‘zero-day vulnerability’) to steal data from organizations. According to Microsoft’s Threat Intelligence team, this group has exploited similar flaws in the past.
Quick Recap: What Happened with MOVEit Transfer?
News outlet BleepingComputer first reported that unidentified hackers were using a zero-day vulnerability in MOVEit Transfer servers to steal data. MOVEit Transfer is a system used by businesses to move files between each other and their customers.
The attacks started around May 27th, during the US Memorial Day holiday weekend. The hackers exploited this vulnerability to put a special program (called a webshell) onto servers. This allowed them to see, download files, and also steal sensitive information from Azure Blob Storage containers, which are used to store data in the cloud.
Clop Ransomware Group Likely Involved
While it wasn’t immediately clear who was behind the attacks, similarities with previous attacks led to suspicions about the Clop group. This group is known for targeting this kind of software, and has launched similar attacks in the past.
Microsoft’s threat intelligence team is now saying that these attacks are linked to ‘Lace Tempest,’ This is a new name they are using to refer to this group, which is also known as TA505, FIN11, or DEV-0950.
Waiting for Extortion Attempts
As of now, the Clop group has not started asking for money in return for the stolen data.
However, they have done this in the past. It’s worth noting that the Clop gang is known for its ‘wait-and-see’ approach, usually waiting a few weeks after the data theft before they start making demands.
“If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day. You can read about us on Google by searching for CLOP hacker group,” reads a typical Clop ransom note.
Once they start making these demands, Clop often adds more victims to their website where they threaten to publish stolen files. This is done to put more pressure on their victims. Based on the timeline of the GoAnywhere attacks, it took just over a month before victims started appearing on the gang’s website.
Progress Software Corporation published an advisory on May 31, 2023 stating that it had discovered a zero-day vulnerability in MOVEit Transfer, a managed file transfer solution developed by the company’s subsidiary, Ipswitch.
No CVSS score has been issued yet, but based on the ports blocked and the location that admins should check for unusual files, it is likely a web-facing SQL injection (SQLi) vulnerability, reported BleepingComputer.
Attackers could leverage the vulnerability (CVE-2023-34362) to escalate privileges and gain unauthorized access into the environment, according to TrustedSec. If successful, an unauthenticated threat actor could gain remote access to any folder or file within a MOVEit system.
On May 28, 2023 at 1:18 PM EST, Blumira detected a zero-day exploitation of the MOVEit files transfer utility. We did this by detecting the webshell human2.aspx as it was written by the IIS process w3wp.exe, which is typical post-exploitation activity.
This vulnerability is actively being exploited in the wild.
How Bad is This?
This is bad; not only are threat actors using this vulnerability to exploit MOVEit but they’ve systemized the exfiltration of the private data of organizations that utilize MOVEit.
According to the public analysis performed on the actual sample backdoor, in simple terms, here’s how it works:
- The backdoor (human2.aspx) looks for a special password. If the password is not correct, it’ll simply show an error message.
- Then, it looks for specific instructions. This instruction can be -1, -2, or it might not exist at all. Depending on this, it does different things:
- If the instruction is -1, it does a couple of things. Firstly, it collects some special IDs related to a service called Azure Blob Storage.
- Secondly, it gets a list of all files and folders, their owners, their sizes, and the names of all institutions in a system called MOVEit, and sends this information back.
- If the instruction is -2, it deletes a user named “Health Check Service” from the list of users.
- If there is no instruction, it does something different. It looks for two additional instructions, one representing a folder and the other a file. If it finds these instructions, it will provide the requested file (ie it exfiltrates data). If these instructions are missing, it adds a new user named “Health Check Service” as an admin and creates a new active session for this user.
What Should I Do?
Progress released a patch, which can be found in the advisory. Admins should apply it as soon as possible.
In the meantime, Progress recommends that organizations immediately modify firewall rules to deny HTTP and HTTPs traffic to their MOVEit Transfer environment on ports 80 and 443. This will temporarily disable some components, including:
- The MOVEit Transfer web UI
- Automation tasks that use the native MOVEit Transfer host
- REST, Java and .NET APIs
- MOVEit Transfer add-in for Outlook
Upgrade to a fixed version of MOVEit Transfer:
- MOVEit Transfer 2023.0.1
- MOVEit Transfer 2022.1.5
- MOVEit Transfer 2022.0.4
- MOVEit Transfer 2021.1.4
- MOVEit Transfer 2021.0.6
How To Detect
You can detect active exploitation by utilizing the Yara rule crafted and published in SigmaHQ.
The Yara detection rule involves checking for files in the ‘\MOVEit Transfer\wwwroot’ directory that have extensions such as ‘.7z’, ‘.bat’, ‘.dll’, ‘.exe’, ‘.ps1’, ‘.rar’, ‘.vbe’, ‘.vbs’, ‘.zip’, and specifically for a file named ‘human2.aspx’ in the same directory.
For further technical details, see:
How Does Blumira Protect Against This?
The existing Blumira detection, “Webshells by File Write” will detect exploitation of this vulnerability. Be on the lookout for files written by the IIS process to the C:\MOVEitTransfer\wwwroot\ directory. Any web-facing servers that trigger this detection and are hosting the MOVEit Transfer service should be heavily scrutinized.
Update 6/28/2023 @ 4 pm ET:
The following additional detections created by Blumira that can detect this malicious activity look for known bad user-agent strings, files, and other MOVEit API calls:
- CVE-2023-34362: MoveIT Indicator of Compromise Suspicious User Agent
- CVE-2023-34362: MoveIT Indicator of Compromise
How Blumira Can Help
It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.