Breakdown of the MOVEit Transfer Breach and MITRE ATT&CK Mapping
Published On: October 3, 2023
What Happened?
MOVEit Transfer is Progress Software’s managed file transfer solution, used by organizations for internal and external file-sharing purposes. Beginning on May 27, 2023, the Clop Ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) which enabled them to execute commands on affected servers and ultimately steal data from the underlying databases. A broad set of industries have been affected, such as education, government agencies, banking, and healthcare.
Who Did It?
The Clop Ransomware Group took responsibility for the MOVEit Breach on June 6, 2023. This threat actor is also known as TA505, FIN11 and Lace Tempest. The group is financially motivated and Russian speaking. This adversary does not appear to target a particular industry, but instead focuses on conducting attacks with significant financial reward. This is not the first time this threat actor has targeted file transfer solutions. The threat actor targeted and exfiltrated data from Accellion File Transfer Appliance (FTA) devices in 2020 and 2021 and Fortra/Linoma Go Anywhere MFT servers in early 2023.
Why Target File Transfer Solutions?
File transfer solutions handle large amounts of information, a lot of which is sensitive and regulated. Exfiltrating this type of data is profitable for threat actors. MOVEit Transfer, for example, is an accredited file transfer solution that meets various compliance requirements for highly regulated industries. Exfiltrating this type of data is profitable for threat actors as it increases the likelihood the data is valuable to the victim and other malicious actors. Additionally, the breach’s scale is compounded by the tool’s function. File transfer solutions are used to transfer data within an organization and on behalf of others. Thus, the scope of Clop ransomware’s data exfiltration goes well beyond the number of organizations with MOVEit Transfer deployments, increasing the likelihood a party will pay the ransom.
Mapping of the Attack to the MITRE ATT&CK Framework
MITRE ATT&CK Tactic |
MITRE ATT&CK Technique |
Description |
Initial Access |
Exploit Public Facing Application (T1190) |
Exploited a SQL injection vulnerability in the managed file transfer solution |
Persistence |
Server Software Component: Web Shell (T1505.003) |
Deployed a web shell named LEMURLOOT |
Persistence |
Create Account (T1136)
|
LEMURLOOT can create users in Azure |
Privilege Escalation |
Exploitation for Privilege Access (T1068) |
Authenticated as a high-privilege user |
Defense Evasion |
Masquerading: Match Legitimate Name or Location (T1036.005)
|
Components mirror legitimate MOVEit Transfer components. For example, LEMURLOOT is deployed with the name human2.aspx which mirrors a legitimate file of the MOVEit Transfer software, human.aspx. |
Discovery |
Cloud Storage Object Discovery (T1619) |
LEMURLOOT can retrieve system setting and record information from Azure Storage blob. |
Command and Control |
Application Layer Protocol: Web Protocols (T1071.001) |
The threat actor communicates with the web shell via HTTP requests |
Exfiltration |
Exfiltration over C2 Channel (T1041) |
Exfiltrated data to C2 server |
Impact |
Account Access Removal (T1531)
|
LEMURLOOT can delete users in Azure. |
Number of Disclosed Vulnerabilities
Three critical vulnerabilities with MOVEit Transfer have been discovered:
Remediations
Organizations with MOVEit Transfer are encouraged to do the following to prevent further exploitation:
- Patch the security vulnerabilities with MOVEit Transfer
- Until the patches are installed, disable all HTTP and HTTPs traffic to the MOVEit Transfer application.
Additional action organizations can take:
- Assess and implement secure supply chain and data sharing practices.
- Maintain offline backups of data
- Conduct tabletop exercises to test response and recovery plans
All organizations should consider testing their security controls against MITRE ATT&CK techniques. Organizations can utilize the MITRE ATT&CK mapping in this article to simulate an actual threat and test its organization’s preparedness.
For more information on how to protect your organization, contact one of our experts: info@klogixsecurity.com.
Subscribe
Stay up to date with cyber security trends and more