How did the MOVEit Cyber Security Breach Target so many Business?

We have recently posted a few article about the MOVEit Cyber Security Breach which has effected thousands of customers, and hundres of thousands of individuals around the world, including; British Airways, Transport for London, the BBC, Boots, Minnesota Department of Education, the US Energy Department and many more. But how did the attack take place?

A hacking group known as Cl0p is believed to be behind a series of attacks exploiting a vulnerability in the MOVEit file transfer server application. The vulnerability, identified as CVE-2023-34362, was actively exploited in early June 2023, according to the Cyber Security firm SentinelOne. The payload delivered through this exploit allows limited interaction between the compromised web server and connected Azure blob storage, enabling the theft of sensitive files.

In the weeks leading up to June, SentinelOne observed several instances of Windows servers running a vulnerable version of MOVEit Transfer, a product of Progress Software, which was being targeted. The attacks resulted in the delivery of a minimal webshell that could be utilised by the attackers to exfiltrate the contents of files, including those hosted on Microsoft Azure when the targeted MOVEit instance was set up to use Azure’s blob storage service.

The attacks have not been discriminate in nature. Over 20 organisations from various sectors, including transport, entertainment, financial services, healthcare, and technology, have fallen victim to this exploitation. The vulnerability has been found in several versions of MOVEit Transfer, from 2021.0.x to 2023.0.0, all of which have subsequently been patched. The exploitation process involves the attackers identifying Windows servers running a vulnerable version of the MOVEit application through port scanning or internet indexing services. The vulnerability, which is a SQL injection flaw, allows an unauthorised attacker to inject SQL commands and gain information from the targeted database. Once the attacker gains access, they are able to upload files via the MOVEit service account, launching a Microsoft IIS worker process which writes several files to a new working directory. The payload, which is a minimal webshell saved as human2.aspx, is then compiled from the C# code.

The payload enables the attacker to connect to specified SQL databases and exfiltrate contents of files hosted by MOVEit Transfer, and in the case where MOVEit Transfer is connected to Azure blob storage, exfiltrate contents of specific files in Azure’s blob storage service. The attackers can specify the targeted object’s File ID and Folder ID in HTTP headers of a request made to the webshell, which then returns the specified file’s content as a Gzip object in the server’s HTTP response. The webshell also deletes the existing user named “Health Check Service” and creates a new user with the same username, likely as a means of persistence.

Organisations using affected versions of MOVEit Transfer are being urged to upgrade their systems immediately to the latest versions where the vulnerability has been patched. In instances where upgrades cannot be performed, it is recommended that the system be taken offline until it can be upgraded. SentinelOne has also provided a list of hunting queries and a PowerShell script to assist organisations in identifying and addressing potential exploitation of the MOVEit Transfer vulnerability.

While the Cl0p ransomware group has claimed responsibility, Cyber Security firm SentinelOne has noted that this attack aligns with a broader trend of financially motivated attacks against web servers running vulnerable file transfer software. This includes the IceFire ransomware attack against Aspera Faspex software earlier in 2023, as well as other attacks attributed to Cl0p that exploited a 0-day flaw in the GoAnywhere managed file transfer application. This suggests the existence of a thriving exploit development ecosystem among hackers targeting enterprise file transfer applications. The decision to target files in Azure cloud storage, if solely attributed to the Cl0p ransomware group, is significant. This strategy deviates from the norm established by cloud-focused extortion actors such as Bianlian and Karakurt, who commonly use multipurpose file management tools like Rclone and Filezilla. Instead, the Cl0p group has developed a unique webshell designed to steal Azure files through SQL queries specific to the targeted environment. This suggests that the tooling was likely developed and tested well in advance of the attacks.

Businesses are being urged to remain vigilant and ensure they have the most recent security patches and updates installed to mitigate the risk of falling victim to such cyber attacks. As each payload is dynamically compiled at runtime, it results in a unique hash for each victim. While SentinelOne are providing a list of hashes associated with payloads delivered through these campaigns, businesses should not rely on Signature/Hash based anti-virus alone to detect these attacks. The continued evolution and sophistication of these attacks serve as a reminder of the importance of maintaining robust cyber security measures and protocols.

The best way to be able to protect your business from attacks such as these is via Endpoint Detection & Response. Endpoint Detection & Response uses advanced Artificial Inteligance to monitor for Unusual, Suspicious or Malicious Activity on your Enpoints and stop it in its tracks, and by pairing this with our 24/7 SOC (Security Opperations Centre) it’s like having your own Cyber Security Professionals on hand 24/7 to protect you from these latest threats before they could potentially wreak havoc on your business. Find out more about Endpoint Detection & Response at the link below.

Latest News Stories