The MOVEit attack was a cyberattack that exploited a flaw in the MOVEit managed file transfer service, which is used by many organizations to securely transfer sensitive files. The attack began on May 27, 2023 and used a zero-day vulnerability that allowed the hackers to inject SQL commands and access the databases of MOVEit customers.
The hackers are believed to be linked to the Cl0p ransomware group, which is known for extorting money from victims and publishing their data on an extortion website. Some of the victims of the attack include the BBC, British Airways, Boots and Aer Lingus, whose staff data, including national insurance numbers and bank details, may have been stolen.
The software vendor, Progress Software, has released a security update to fix the vulnerability and has alerted its customers to apply it as soon as possible. However, some experts warn that thousands of company databases may still be vulnerable as many affected firms have not installed the patch yet.
Ransomware group Clop has threatened to publicly release data stolen from victims unless they pay for its secure deletion. Victims who contact the Clop gang will be given a price for the safe deletion of their data and can ask for a sample of random files to verify they have them. No encryption ransomware has been observed, and the attackers have said they will erase the data they stole from government websites. This is likely an attempt to avoid drawing unwanted attention. Attackers threatened to leak data publicly if no agreement is reached in seven days.
Who are the Cl0p Ransomware Gang?
The Clop group, also known as TA505, has been active in distributing ransomware and conducting extortion since 2019. The group has targeted over 3,000 US organizations and over 8,000 globally, according to the following source. Additionally, the group operates as an initial access broker, selling compromised networks to other groups, and operates a botnet specializing in financial fraud and phishing. The group has also developed three zero-day exploits and employs custom webshells and malware toolkits in their attacks. This advanced level of sophistication sets them apart from other extortion groups that typically rely on open-source tools.
Ransomware Groups Exploit Zero-Day Vulnerabilities in File Transfer Apps
Cybersecurity company SentinelOne has identified a trend in the exploitation of zero-day and N-day vulnerabilities in enterprise managed file transfer applications. Researchers warn that there may be an “abundant exploit development ecosystem” focused on these applications. In March, the IBM Aspera Faspex file sharing software was compromised by attackers exploiting a deserialization flaw, leading to the deployment of the IceFire ransomware.
Since the MOVEit exploit became public knowledge, researchers have witnessed increased patching and a slower rate of exploit attempts. SentinelOne has published threat-hunting queries to help organizations search for evidence of the attacks, and the Cybersecurity and Infrastructure Security Agency (CISA) has issued advisory guidance containing YARA detection rules and indicators of compromise.
How to Protect your Company from the MOVEit Attack
As a starting point, to protect your company from the MOVEit attack, you should follow the security advice from Progress Software, the vendor of the MOVEit Transfer service. Some of the steps you should take include:
- Apply the security update that fixes the vulnerability as soon as possible.
- Whitelist traffic on ports 80 and 443 to the MOVEit Transfer server to prevent external access to the web user interface.
- Inspect the C:\\MOVEit Transfer\\wwwroot\\ folder for suspicious files, such as backups or large file downloads.
- Enable logging and auditing on the MOVEit Transfer server and monitor for any unusual activity.
- Use a firewall or other security tools to block access to known malicious domains or IP addresses associated with the attack.
You should check for any indicators of compromise (IoCs) that may suggest your company has been affected by the attack. Some of the IoCs associated with the MOVEit attack include:
- Scripts or webshells uploaded to the C:\\MOVEit Transfer\\wwwroot\\ folder, such as backup.aspx, backup.aspx.cs, backup.aspx.designer.cs, backup.aspx.resx, download.aspx, download.aspx.cs, download.aspx.designer.cs, download.aspx.resx.
- Command and control (C2) IP addresses that communicate with the webshells, such as 185.141.25[.]27, 185.141.25[.]58, and 185.141.26[.]98.
- User accounts created or deleted on the MOVEit Transfer server, such as admin.
- SQL statements or errors in the MOVEit Transfer logs.
- Unusual activity or traffic on ports 80 and 443 to the MOVEit Transfer server.
In addition to the above, companies must regularly back up data, patch all software and operating systems, enforce a strong password policy, and educate employees about phishing scams. Companies should also continuously monitor their systems for signs that a ransomware attack is underway.
How Lepide Helps Prevent Ransomware
The Lepide Data Security Platform can help you quickly identify potential ransomware attacks as it provides real-time monitoring of privileged accounts and sensitive data. For example, the Lepide software can detect and respond to large amounts of data being copied, suspicious logins, or attempted transfers to unknown or unauthorized locations. The ‘threshold alerting’ feature allows for an automatic response to events that match a pre-defined threshold condition, such as when a large number of files are moved, encrypted, or renamed. If the threshold condition is met, a custom script can be executed which may disable a specific account or process, change the firewall settings, or simply shut down the affected systems. While this feature won’t prevent an attack from starting, it will at least prevent the attack from spreading.