Webinar Replay: Lessons Learned from 50+ MOVEit IR Investigations. Watch Now.
Wed, Jun 7, 2023
Webinar Replay: Lessons Learned from 50+ MOVEit IR Investigations. Watch Now.
NOTE: This vulnerability is under active exploitation, and Kroll experts are investigating. Expect frequent updates to this article as our team uncovers more details.
On May 31, 2023, Kroll received multiple reports that a zero-day vulnerability in MOVEit Transfer was being actively exploited to gain access to MOVEit servers. Kroll has observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion lifecycles. This vulnerability may also enable a threat actor to move laterally to other areas of the network.
Patches for supported MOVEit Transfer versions have been released and are available from the MOVEit website located here.
Supported versions are listed via this link.
As of June 2, 2023, the vulnerability was assigned CVE-2023-34362.
Kroll advises MOVEit administrators to look in the “C:\MOVEit Transfer\wwwroot\” directory for suspicious .aspx files such as “human2.aspx” as indicators of compromise (IoC).
Depending on the database engine being used (MySQL, Microsoft SQL Server or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
Recommendations from MOVEit Transfer can be found here, which advise impacted users to:
Unauthorized access via an impacted device may appear specifically as unexpected file creation in the c:\MOVEit Transfer root folder or appear similar to exfiltration traffic such as unexpected and/or large file downloads.
Network monitoring can be used to detect exfiltration, and responding quickly to a true positive can make the difference between the loss of megabytes and gigabytes of data. However, threat actors may adopt a “low and slow” approach to exfiltration, whereby data is sent in smaller pieces over a longer period of time to blend in with daily flows of data. Detecting compression of large files for staging can also be an indicator that a threat actor will soon begin exfiltrating data or may have already done so.
Network administrators can consider alerting and blocking attempted access to common file-sharing sites that are used by cybercriminals. Consider setting up alerting and blocking on traffic attempting to establish connections with domains such as .mega.co.nz, mega.nz, file.io, uploaded.net, 4shared.com, anonfiles.com, anonymfiles.com, send.exploit.in, ufile.io, sendspace.com and rapidgator.net.
Kroll currently recommends that if you find suspicious files, which are most likely web shells in nature or potential secondary malicious droppers, you copy and preserve the file for forensics, but do not delete the only copy.
Additionally, based on the capabilities of the range of web shells that Kroll has been investigating, it is being consistently observed that threat actors in numerous investigations have leveraged web shells to enumerate, copy and potentially exfiltrate files off of affected MOVEit server(s).
One of the web shells abusing MOVEit searches for superuser accounts which are identified as being permission level 30, are still active, and undeleted. Upon finding a superuser account of this nature, the web shell then bypasses the login and authentication process by creating an active session for this user that is indefinite. We have seen accounts used during the exfiltration process still having active indefinite sessions, and initial indications are that these sessions will persist through a reboot of the server. These might not show up in the graphical user interface of MOVEit since the system was manipulated on the backend and might need to be removed via database commands.
Update – June 8th
On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of the MOVEit vulnerability (CVE-2023-34362). Subsequent Kroll analysis has confirmed that threat actors are using this vulnerability to upload a web shell and exfiltrate data. However, Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit the MOVEit vulnerability as far back as 2021.
Update – July 24th
In the vast majority of Kroll’s global MOVEit investigations, the primary data exfiltration method (Method 1) consisted of utilizing the dropped web shell to inject a session or create a malicious account, after which threat actors were able to reauthenticate and use the MOVEit application itself to transfer files. However, in around 5% of cases, Kroll identified a distinctly different methodology (Method 2) that passes variables to the web shell and utilizes MOVEit API calls for file enumeration and data exfiltration, requiring a separate approach for analysis.
Kroll has deployed detections for exploitation of CVE-2023-34362 and has conducted hunting activity for active exploitation where possible. Kroll has also contacted Responder clients directly about this vulnerability. If you have any questions, please contact your Technical Account Manager.
If you are a Kroll retainer client, immediately contact your Kroll retainer point of contact provided in the original onboarding paperwork.
Kroll can be engaged to conduct rapid and actionable MOVEit specific scans of external IP address ranges to identify issues requiring focus and potential further investigation.
In terms of a proactive response to the MOVEit vulnerability, Kroll can assist in inventorying various systems, applications and software using MOVEit in the environment. Kroll has the capacity and is experienced in providing guidance on how to apply the relevant security patching or security changes for affected systems, applications, software, etc. Kroll can provide guidance on isolating the affected systems or applications from the internet and can assist in recommending alternate mitigation measures.
Kroll can assist in firewall, application and network traffic log analysis, as well as check for both successful and unsuccessful exploitation attempts. Kroll can search for the presence of known IoC that are being actively collected by our threat intelligence, incident response findings and managed detection services.
In terms of digital forensics and incident response, Kroll can be engaged to investigate and contain network compromises and active maliciousness, as well as investigate network intrusions and threat actors who have successfully exploited the MOVEit vulnerability to compromise a victim network.
Even though immediate action is needed and the MOVEit vulnerability is under aggressive exploitation, it’s important to keep a level head. Yes, patch as soon as possible but also consider existing detections and your ability to respond should something suspicious happen. For internal teams burdened with a host of other priorities and a remote workforce, support from dedicated experts who have the frontline expertise, resources and technical skills to assess your exposure can greatly reduce your risk profile. Talk to a Kroll expert today via our 24x7 hotlines or contact form.
by Scott Downie, Laurie Iacono, Dan Cox
by Steven Coffey, Josh Mitchell, Dan Cox
by Laurie Iacono, George Glass, Keith Wojcieszek
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.