The MOVEit Attack Explained

Who are the Cl0p Ransomware Gang?

The Clop group, also known as TA505, has been active in distributing ransomware and conducting extortion since 2019. The group has targeted over 3,000 US organizations and over 8,000 globally, according to the following source. Additionally, the group operates as an initial access broker, selling compromised networks to other groups, and operates a botnet specializing in financial fraud and phishing. The group has also developed three zero-day exploits and employs custom webshells and malware toolkits in their attacks. This advanced level of sophistication sets them apart from other extortion groups that typically rely on open-source tools.

Ransomware Groups Exploit Zero-Day Vulnerabilities in File Transfer Apps

Cybersecurity company SentinelOne has identified a trend in the exploitation of zero-day and N-day vulnerabilities in enterprise managed file transfer applications. Researchers warn that there may be an “abundant exploit development ecosystem” focused on these applications. In March, the IBM Aspera Faspex file sharing software was compromised by attackers exploiting a deserialization flaw, leading to the deployment of the IceFire ransomware.

Since the MOVEit exploit became public knowledge, researchers have witnessed increased patching and a slower rate of exploit attempts. SentinelOne has published threat-hunting queries to help organizations search for evidence of the attacks, and the Cybersecurity and Infrastructure Security Agency (CISA) has issued advisory guidance containing YARA detection rules and indicators of compromise.

How to Protect your Company from the MOVEit Attack

As a starting point, to protect your company from the MOVEit attack, you should follow the security advice from Progress Software, the vendor of the MOVEit Transfer service. Some of the steps you should take include:

• Apply the security update that fixes the vulnerability as soon as possible.
• Whitelist traffic on ports 80 and 443 to the MOVEit Transfer server to prevent external access to the web user interface.
• Inspect the C:\\MOVEit Transfer\\wwwroot\\ folder for suspicious files, such as backups or large file downloads.
• Enable logging and auditing on the MOVEit Transfer server and monitor for any unusual activity.
• Use a firewall or other security tools to block access to known malicious domains or IP addresses associated with the attack.

You should check for any indicators of compromise (IoCs) that may suggest your company has been affected by the attack. Some of the IoCs associated with the MOVEit attack include:

• Scripts or webshells uploaded to the C:\\MOVEit Transfer\\wwwroot\\ folder, such as backup.aspx, backup.aspx.cs, backup.aspx.designer.cs, backup.aspx.resx, download.aspx, download.aspx.cs, download.aspx.designer.cs, download.aspx.resx.
• Command and control (C2) IP addresses that communicate with the webshells, such as 185.141.25[.]27, 185.141.25[.]58, and 185.141.26[.]98.
• User accounts created or deleted on the MOVEit Transfer server, such as admin.
• SQL statements or errors in the MOVEit Transfer logs.
• Unusual activity or traffic on ports 80 and 443 to the MOVEit Transfer server.

In addition to the above, companies must regularly back up data, patch all software and operating systems, enforce a strong password policy, and educate employees about phishing scams. Companies should also continuously monitor their systems for signs that a ransomware attack is underway.

How Lepide Helps Prevent Ransomware

The Lepide Data Security Platform can help you quickly identify potential ransomware attacks as it provides real-time monitoring of privileged accounts and sensitive data. For example, the Lepide software can detect and respond to large amounts of data being copied, suspicious logins, or attempted transfers to unknown or unauthorized locations. The ‘threshold alerting’ feature allows for an automatic response to events that match a pre-defined threshold condition, such as when a large number of files are moved, encrypted, or renamed. If the threshold condition is met, a custom script can be executed which may disable a specific account or process, change the firewall settings, or simply shut down the affected systems. While this feature won’t prevent an attack from starting, it will at least prevent the attack from spreading.

If you’d like to see how the Lepide Data Security Platform can help to safeguard your assets from ransomware attacks, schedule a demo with one of our engineers or start your free trial today.