How to Protect Against the MOVEit Transfer Exploit

The US Cybersecurity and Infrastructure Security Agency (CISA) admitted it is providing support to several Federal agencies that were breached following vulnerabilities exposed in the Progress (formerly Ipswitch) MOVEit Transfer solution. According to an alert and cybersecurity advisory published by CISA, the CL0P Ransomware Gang has been actively exploiting the vulnerabilities for data exfiltration and to execute remote commands on the target machines.  

What We Know About the MOVEit Transfer Vulnerability

First disclosed on May 31st 2023, Progress security confirmed three critical vulnerabilities (CVE-2023-34362, CVE-2023-35036, CVE-2023-35708) that can allow threat actors to attain escalated privileges and unauthorized access to the environment. In their advisory, Progress described immediate steps all MOVEit customers should deploy to remediate the vulnerability.  

A technical analysis by CISA reveals that in May 2023, the CL0P group began exploiting the SQL injection vulnerability to install a web shell named LEMURLOOT on MOVEit servers, dropped as ‘human2.aspx’, and later renamed to ‘human.aspx’ (VirusTotal). The webshell, specifically designed to target the MOVEit platform, is a toolkit that includes multiple operational capabilities, including downloading files, as well as executing and manipulating Azure system settings, including the creation of admin users.  

The impact of the vulnerability is widespread. MOVEit Transfer is a popular Managed File Transfer (MFT) solution used by thousands of enterprises, primarily in the United States, including government agencies, banks, software vendors, and other organizations.  Victims, including Shell, the University Systems of Georgia, the BBC, and British Airways began receiving ransom notes to prevent publishing the exfiltrated data.  

Targeting Managed File Transfer (MFT) Solutions

Managed File Transfer solutions and Secure MFT (sMFT) are used to secure and automate the transfer of data and documents across and between organizations.  The solutions are typically deployed by large organizations to enable the secure sharing of sensitive information, often connecting public-facing interfaces, with content stored in internal and sensitive networks. 

The Russian-based CL0P (Clop) hacking group (TA505), allegedly exploited vulnerabilities in other MFT solutions, including Acellion’s FTA in 2020 and 2021, and Fortra’s GoAnywhere MFT solution earlier in 2023 (CVE-2023-0669).  

MFT solutions are tempting targets for threat actors. Compromising them allows access to information that was supposed to be safeguarded by the solutions; achieving control over the target machines enables access into the protected victim networks.   

This enables threat actors like CL0P to employ “double extortion” tactics which allow data stealing and ransomware execution across target machines using the control which was achieved.  

The exploited vulnerabilities serve as an entry point for the threat actors to execute the later stages of the attack.  Once the initial phase is complete, attackers establish C2 communications, allowing them to drop payloads to execute the later phases. In previous incidents, CL0P has been observed to use Truebot, which subsequently downloads Cobalt Strike and FlawedGrace beacons.  

The MOVEit Transfer attack stages. Modified from: Forescout (https://www.forescout.com/wp-content/uploads/2023/06/CVE-2023-34362.png) 

While the initial stage of the attack exploits new vulnerabilities, the next phase drops malicious payloads using evasive and in-memory techniques to bypass detection by the resident endpoint protection solutions.  

Recommended Actions

Immediate mitigations include applying the security patches and following the instructions published by Progress (MOVEit), and updating IOCs, as published by CISA.  

MOVEit recommendations (Source: Progress.com)  

• Review the Progress Security Center page with updates on the MOVEit Transfer and MOVEit Cloud Vulnerabilities.  
• Until application of the security patch(es) - disable all HTTP and HTTPs traffic to your MOVEit Transfer environment, specifically:  Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. 
• Review MOVEit and System audit logs for unexpected behavior, delete unauthorized files (‘human2.aspx’, ‘human.aspx’), and remove unauthorized user accounts, full analysis at Forescout.com  

• Apply the recommended security patch(es), then restore HTTP/HTTPs traffic.  

For a complete list of Indications of Compromise (IOCs) associated with the CL0P group’s exploitation of the MOVEit Transfer vulnerability visit: CISA.gov.  

How Morphisec Can Help

Morphisec’s products help protect against potential exploits and malicious payloads with the following capabilities:  

Morphisec Vulnerability Visibility and Prioritization  

Morphisec’s Vulnerability Visibility and Prioritization provides risk and usage-based prioritization of vulnerabilities. In this scenario, Morphisec assists in identifying the organization using an application with a known vulnerability, and prioritizes risk based on actual usage and information based on known exploitation of the vulnerabilities. This enables organizations to act swiftly to apply critical security patches.  

Prevention of malicious payloads employing evasive and in-memory techniques  

In the case of attacks such as the MOVEit exploit, organizations must protect themselves against the later stages, and against attacks capable of evading the protection mechanisms provided by detection-based technologies. Automated Moving Target Defense (AMTD) is an essential defense-in-depth layer since it stops threats without prior knowledge, and without a need to rely on signatures, IOCs, and behavioral patterns.

Mitigating the MOVEit attack stages using vulnerability prioritization and prevention of evasive malware . 

Modified from: Forescout (https://www.forescout.com/wp-content/uploads/2023/06/CVE-2023-34362.png)

Morphisec by default protects the IIS Web services and MOVEit DMZ components which runs under the IIS web server. In an event of a WebShell execution leading to a backdoor (e.g. CobaltStrike, Metasploit) access to the system, Morphisec’s AMTD would provide protections since these backdoor frameworks are completely fileless and employ evasive techniques designed to bypass detection by endpoint protection solutions. Morphisec focuses on disabling the framework early in the attack chain by leveraging the true prevention capabilities of the AMTD technology. 

Morphisec prevented the following related attacks:  

Code and memory exploitation techniques are among the top ten most seen MITRE ATT&CK techniques. AMTD mitigates this risk by morphing memory and other system resources, making them essentially invisible to the threats that target them. As a layer in a defense-in-depth security posture, AMTD stops zero-day, fileless, and in-memory attacks, offering true Defense-in-Depth for endpoint, server and workload protection, with a negligible performance impact, with no additional headcount required.  

Want to learn more?  

Morphisec is trusted by 7,000+ companies and prevents more than 30,000 attacks daily across more than nine million protected endpoints, servers and workloads on Windows and Linux devices. To learn more about the technology and why Gartner calls AMTD “the future of cyber,” read our whitepaper Zero Trust + Moving Target Defense: The Ultimate Ransomware Strategy. 

Schedule a demo to see Morphisec in action - https://www.morphisec.com/schedule