SOC Incident Toolkit
Back to Campaigns
MOVEit Strikes With All Its Power

MOVEit Strikes With All Its Power

win.clopTA505ClopRansomwareMOVEitMOVEit Transfer

A new wave of mass attacks targeting popular file transfer tool MOVEit Transfer has been linked by security researchers to the Clop ransomware gang. The vulnerability exploited by hackers allows them to gain unauthorized access to the database of the affected MOVEit server.

Indicators of Compromise

Domains (1)

dojustit.mooo.com

Hashes (10)

0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9b5ef11d04604c9145e4fe1bedaeb52f2c2345703d52115a5bf11ea56d7fb6b0358ccfb603cdc4d305fddd52b84ad3f58ff554f1af4d7ef164007cb8438976166ed0c3e75b7ac2587a5892ca951707b4e0dd9c8b18aaf8590c24720d73aa6b90c1826268249e1ea58275328102a5a8d158d36b4fd312009e4a2526f0bfbc30de298a30c7251cf622bd4abce92ab527c3f233b817a57519c2dd2bf8e3d3ccb7db8cec425b3383890b63f5022054c396f6d510fae436041add935cd6ce42033f6212ccf7e42afd3f6bf845865c74b2e01e2046e541bb633d037b05bd1cdb296fa59110e301d3b5019177728010202c8096824829c0b11bb0dc0bff55547ead18286a8f6c1ccba662a908ef7b0cb3cc59c2d1c9e2cbbe1866937da81c4c616e68986

IPv4 (138)

89.39.104.118198.27.75.1105.252.189.066.85.26.2155.188.87.194162.244.34.2666.85.26.24891.202.4.765.188.87.226185.174.100.215188.241.58.091.222.174.9584.234.96.10484.234.96.31185.104.194.15645.56.165.24889.39.105.108194.33.40.104185.174.100.25093.190.142.131+118 more

APT Groups

TA505

Russian Federation

Notes

<div><font>The increasing adaptability and danger of malware, particularly Clop ransomware, is evident. It is very important to develop cyber defenses, be careful when using the Internet, and pay attention to software downloads and updates. Clop ransomware specifically targets businesses rather than individual users, and its creators used creative technical solutions to identify victims' language settings and installed programs. However, there have also been instances of poorly coded functionality in ransomware. Caution should be exercised as cybercriminals continue to exploit maliciously programmed malware for financial gain.</font></div><div><font><br></font></div><div><font>While the Cl0p ransomware group claimed credit for these attacks,these techniques are compatible with a broader trend of financial attacks on web servers running vulnerable file transfer software.<br></font></div><div><br></div>

Mitigation

<b><font>Mitigations</font></b><div><font><div style="">All versions of MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), 2023.0.1 (15.0.1) are affected. Progress Software has released an official patch which is available here: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023</div><div style=""><br></div><div style=""><span style="color: var(--q-dark);">However, prior to applying the patch, Progress recommends admins take the following actions.</span><br></div><div style=""><span style="color: var(--q-dark);"><br></span></div><div style=""><ol><li><span style="color: var(--q-dark);">Disable all HTTP and HTTPS traffic to your MOVEit Transfer Environment by setting up your firewall to deny that access to your environment. (Note: it's fine to leave SFTP and FTP ports open as exploitation appears to occur only over HTTP/HTTPS)</span></li><li><span style="color: var(--q-dark);">Review your MOVEit Environment for signs of compromise, including:</span></li></ol></div><div style=""><span style="color: var(--q-dark);"><br></span></div><div style="">Audit and delete any unauthorized files and user accounts.</div><div style=""><br></div><div style=""><span style="color: var(--q-dark);">On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.</span><br></div><div style=""><span style="color: var(--q-dark);"><br></span></div><div style=""><span style="color: var(--q-dark);">On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline</span><br></div><div style=""><br></div><div style="">Remove any unauthorized user accounts.</div><div style=""><br></div><div style="">Review logs for unexpected downloads of files from unknown IPs or large numbers of files downloaded.</div><div style=""><br></div><div style="">Reset service account credentials for affected systems and MOVEit Service Account</div><div style=""><br></div><div style="">3. <span style="color: var(--q-dark);">After these steps, you can apply the patch.</span></div><div style=""><span style="color: var(--q-dark);"><br></span></div><div style="">After the update has been applied, you can re-enable all HTTP and HTTPS traffic to your MOVEit Transfer environment. You'll also want to verify that the compromise has been fully addressed by going back through the actions in Step 2 above.</div><div style=""><br></div><div style=""><div>Additional Detection Options</div><div><br></div><div><span style="color: var(--q-dark);">Search for a user named ‘Health Check Service’ within the MOVEit user database</span><br><span style="color: var(--q-dark);">Examine active sessions within the MOVEit database for the user ‘Health Check Service’</span><br><span style="color: var(--q-dark);">Search you web access logs for requests that contain any request or response headers listed above</span><br></div><div><span style="color: var(--q-dark);"><br></span></div><div>Additional Security Best Practices</div><div><br></div><div><ol><li>Update network firewall rules to only allow connections to the MOVEit Transfer infrastructure from known, trusted IP addresses</li><li>Review and remove any unauthorized accounts</li><li>Update remote access policies to only allow inbound connections from known and trusted IP addresses</li><li>Allow inbound access from trusted entities</li><li>Enable multi-factor authentication</li></ol></div></div></font></div>