A joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) details the CL0P extortion syndicate’s recent targeting of CVE-2023-34362, a vulnerability in the MOVEit Transfer web application. The advisory, released June 7, 2023, states that the CL0P syndicate actively exploited a SQL injection vulnerability present within all versions of MOVEit Transfer software. This vulnerability allowed CL0P actors to install a web shell to enable data theft from MOVEit Transfer databases, which the threat actor claimed left thousands of organizations with encrypted files.
Among the affected organizations were several public safety entities. However, current reporting suggests the threat actors did not directly compromise public safety entities and instead stole data from the third-party MOVEit Transfer service, which may have included public safety data.
CL0P claimed that entities such as police or other public safety organizations are exempt from ransom demands and that they deleted public safety-sourced information from exfiltrated data stores. However, no other source has corroborated this claim. The CL0P extortion syndicate is responsible for at least three additional attacks on public safety entities in 2023, including a data theft attack against Toronto, Canada, in March. Similar to its targeting of MOVEit, CL0P exploited a previously-unknown vulnerability in a third-party tool to target Toronto, suggesting the syndicate favors vulnerability exploitation and leveraging third-party organizations.
While the MOVEit attack did not result in CL0P directly accessing downstream victim environments, we have high confidence that the group is likely sophisticated enough to use third-party services. This shows the importance of identifying and examining Trusted Relationships [T1199], such as those from third parties or connected networks or services.
How Can I Protect Against, Detect and Respond to the MOVEit Vulnerability Exploitation?
Network intrusion detection capabilities are crucial in protecting organizations against attacks from ransomware gangs such as CL0P. Though detecting vulnerability exploits such as MOVEit is essential, identifying the behavior of tools the attacker is using can be even more effective, given that they are discovering new vulnerabilities every day.
CISA observed several indicators from exploitation attempts of CVE-2023-34362. They can be detected by monitoring HTTP POST requests to the MOVEit Transfer web application for resources such as “moveitaspi.dll” or “guestaccess.aspx”. Analyzing suspicious requests to “api/v1/folders” containing the parameter “UploadType=resumable” may also reveal attacks exploiting this vulnerability.
We also recommend monitoring for command and control (C2) requests from known remote access trojans (RATs) used by CL0P, such as FlawedAmmyy and FlawedGrace. These requests often exhibit unique patterns or indicators that users can identify using deep packet inspection detection solutions.
Similarly, Truebot, a first-stage downloader module, is known to collect and send system information, such as screenshots, before proceeding to install these RATs. There are patterns and static indicators in these connections back to the attacker’s infrastructure you can detect and respond to before significant impact occurs.
To identify the presence of webshells used by CL0P, such as DEWMODE or LEMURLOOT, network intrusion detection systems can monitor inbound requests for the specific interaction header “X-siLock” which has been observed in MOVEit file transfers. You can also observe Identifiable behavior based on the content within the header. This can also reveal other indicators of an attack, such as the “Health Check Service” being added or deleted, or other file retrieval operations.
Motorola Solutions ActiveEye Managed Detection and Response Service
By monitoring network connections for these indicators, you can identify compromised systems and remediate issues before an attacker gets the upper hand in your network. Motorola Solutions ActiveEye Managed Detection and Response (MDR) service can give your security team the power to detect these indicators and proactively protect systems and data from the evolving threats of ransomware gangs like CL0P.
The ActiveEye MDR service combines an innovative security platform with an expert security operations center (SOC) team. The service allows any size organization to leverage the most advanced cybersecurity technology and experienced team in the moments it matters most.
With ActiveEye MDR, you get:
- Access to our co-managed ActiveEye security platform to optimize analysis and detection of threats across endpoints and networks
- Threat Intelligence team to alert you to threats and threat actor trends and guide the adoption of appropriate detection methods
- A 24/7 security operations team to quickly investigate anomalous activity and augment your internal security team
- Advanced threat research to proactively search for threats as new tactics and indicators of compromise (IOCs) are discovered
- Incident Response team to guide an assessment if your network is compromised
The Public Safety Threat Alliance (PSTA) is a public safety-focused information sharing and analysis organization (ISAO) established by Motorola Solutions that is recognized by the Cybersecurity and Infrastructure Security Agency (CISA). The PSTA has issued a Threat Advisory on CLOP Ransomware’s MOVEit vulnerability exploitation and will continue to monitor intelligence reporting for credible threats to public safety organizations.
The PSTA provides threat intelligence for member public sector organizations at no cost. Register today for more information.