CL0P Likes To MOVEit MOVEit by Will Thomas

thank you very much and thanks everyone for coming this is my first pizza space in Stoke and uh yeah really enjoying it so far uh so we can talk to you a bit about plot today a bit about me see Thai researcher for doing it for about four years now uh worked for a company called equinix which is you know they like to say they're the world's digital infrastructure company about uh 250 data centers worldwide uh run Internet exchanges and internet backflowing around the world I work for the Equinox threat analysis Center which is the etac CTI internal CTI team and I'm a co-author of Sands 4589 cyber crime intelligence as well I'm also a co-founder of a CTI trust group called create curated intelligence and you can find me on the various websites so we're going to talk to you a bit about the Clock movement campaign you've probably all heard about it keeping up with the news and everything I'm going to kind of run through the who what why where when and how you know football club talk about the hundreds of servers being hacked just happened around the world everyone's really uh you know impacted by this when it started you know why are they doing it and how do they do it so who are these guys again so klopp they are a you know Russian slash Ukrainian speaking ransomware gang uh financially emoted financially motivated threat group and they you know they're tracked by various members they've been around for quite a long time uh and everyone's tracking them under you know various monikers ta-505 fit fin 11 the graceful spider there's a little bit ambiguity over who names them what and why and you know it requires a lot of sort of CTI analysis and assessment work to fully understand these relationships but that's sort of what you know if you mention those names people sort of generally understand what you're talking about and kind of interestingly a bit of a side note but more recently Microsoft and secureworks said that they're related to pin seven which is another large financially motivated threat group so you may have heard about klopp in 2021 uh there was actually an arrest in Ukraine of their money laundering team um you know actually you have the ukrainians and the uh Korean police turn up because uh they sort of have a joint operation taking down the before populations uh and you know they found all their money they found uh took away their cars they basically uncovered the backbone money laundering operation that sort of drives the you know Hawaii a ransomware group those around somewhere to support the money um and they also you know whilst when you're watching that video you can see devices like celebrate to uh you know to forensics on the Mac OS devices so have they done this before with move it um well yes this is not definitely by a long shot not the first time they targeted managed file transfer systems mfts uh they've gone after excellion FDA in December 2020 they went after solarwinds serve you in 2021 go anywhere and paper cut this year as well so you know it's a bit of a trend of them actually targeting these types of services and systems uh just to you know perform data extortion campaigns a bit of a timeline uh so you know started most people recognize the campaign probably around late May which was actually a bank holiday so it was a bank holiday in the UK and it was a bank holiday in the US so it's almost like perfect timing to watch an attack because everyone's on holiday right and then uh you know then progress software actually came out and said you know our software has evolvability in it it's been included in the wild and then we started to the information started to trickle out that it was potentially kloppers potentially related to some of these previous mft targeting campaigns uh and then you know actually clock started to confirm to journalists that it was them and then they started to leave some of the victims so he confirmed it was them and then other sort of vendors came out and said like we saw the scanning for a particular file name that you would Target when you're trying to exploit move it mft service I think it's like a human dot aspx file uh Greenway said they actually saw scanning for that in March 2023 so it's almost like they're pairing this attack uh quite in advance uh and then we even had even more information that was extending the timeline uh was that uh crawl which is a uh you know large company they had a bigger instant response uh capability and some of their victims and the IIs logs they had uh you know exploitation of uh movement service all the way back in July 2021. so it's potentially klop has been sort of waiting and sitting on this for a long long time and sort of preparing for the specific attack way in advance of what you know it wasn't just a random weekend they just started launching attack so when we've actually like when you started to hear about move it you know when the progress software advisory came out see Google budget came out we started to hear about with it being exploited we looked on The Showdown saw about 2500 systems exposed globally um and it wasn't just like for some of these things where you have Microsoft Exchange service being hacked or you know other devices that it's like if it's Cloud it's pretty much fine or if it's on Prem it's going to be exploited with movie it was an on-prem and Cloud as well and then shout out to the Dutch substitute vulnerability disclosure the IBD and a shadow server as well you know they're doing scans of the whole internet looking for the movement servers and then basically doing performing victim notifications as well that they have an explode an exposed vulnerable device that anyone can contact on the internet so how did they actually perform the attack uh sort of a bit of a technical breakdown you know they started by scamming and targeting the servers uh they exploited the the exported the sort of zero day vulnerability as a sqli plans to download to upload a file basically a web shell and then from there they sort of you know were able to Launch commands from that from from the shell and then actually started to enumerate and download files from the movement servers and also it's quite interesting because once they actually had been able to get onto the movement file transfer system is on top of a Windows server and it can actually be able to get to the Azure storage blocks as well including credentials so that's how they're able to download you know gigabytes and gigabytes of files [Music] so after we heard about you know the advisory came out Uber's being exploited we've started to hear the headlines of some of the victims of the movie Campaign and this is why it's been such a thing that probably everyone in the room has heard about it's because there's some massive companies have been hit all of these companies sort of either used move it themselves or they had a vendor or supplier that also used to move it and that means their data was in their movement server so what one company called zealous uh you know where they sell this British Airways BBC and the boots um you know potentially all of the sort of HR payroll data data because they were as they had in there uh you know their customers and their employees of their customers are then impacted and on the other side of the side here we have uh Raphael from I think from Reuters and he actually emailed asking was it you and they emailed it back saying yes it's us um so this is a nice multigo graph that I created to try and explain the campaign in more details just like take everything that's been put out there and sort of sort of summarize it in one graph and this was like very very early on when uh this is before clock even had started to leak any of the victims this was just based on sort of Open Source intelligence and and you know putting all the information together and then tying it back to the threat group and the previous campaigns and then it began so some people call it the clock leakathon or the Acropolis Acropolis and you know if you ever go on the property site you know you get this sort of waiting sign and then you're still in the capture and things you can actually get onto their tool site um so what actually did it look like if you go on the tour site well you know the clock initially put up a statement saying dear companies you know klopp is one of the top organization offer penetration testing service you know sort of broken English um and you know they kind of pretend that they are legitimate pen testers who've already hacked you so now you have to pay for their service but they're just around somebody just ransomware gang but no ransomware was actually deployed it's just pure data extortion um yeah you know they say things like your data is safe and email our team if you want to pay that if you want to contact us about it um going sort of scrolling down on that post you know they sort of explain in more detail you know they say that uh you say that if you don't contact them and before June 14th they're going to start publishing your names like the company's names they you know they can provide data to prove that they actually stole it um you know all this kind of information about the hack itself but it's all you know coming forwards confirming that they did it and then trying to explain to companies how they can sort of resolve the situation basically by paying around some and then came the leaks so then we had you know some victims just domains posted and then we had more victims domains posted and then we had more victims doing his posters they're gonna get more victims and so it just keeps on going um and you know even probably this week is just they just don't stop coming just they just hit so many companies um and even it doesn't we don't actually know how much they stole from each company but in particular but every company that they claim they've hit they are putting up their name on the site [Music] and then they actually they kind of have like a bit of banter a bit of backwards and forwards between journalists and things you know this kind of interesting thing about these ransomware groups is that they try to control the narrative in a way and they you know the BBC started making you know because BBC potentially a victim they're covering the story very closely they're making uh you know making reports and things and you know they're saying saying things like oh we can't confirm what plop's saying so clock kind of came out a little bit angry with BBC and say like journalists are controlling the narrative and stuff um and you know klopp basically came out and clarified some questions they say you know only cloth has the move at zero day no other groups have it it's just there uh no Ransom uh if a ransom is paid uh not paid then uh data's gonna be leaked or sold they said and uh if no if uh you know the names will be published first followed by data and then you know they apparently have already deleted the data of government so if you're a government don't worry about it and they also say things like uh do not they don't care about experts um you know they have no reason to lie uh the media is creating propaganda and you know they just want money and they are reasonable uh it's kind of you know interesting for you know a threat actor can come out and state all these things um especially one of like the one with the most eyes on it in the world currently probably uh and you know another statement came out saying like we have a lot of emails from government we've already deleted it don't worry about it um you know they don't have any government data they're just a penetration testing Service uh you know they're only financially motivated they're not part of the Russian government or anything uh and they don't care about politics this is kind of an interesting thing because uh you know they listed of com and the Irish comrade which are government institutions so they obviously have stolen there and they obviously have still have some of the data uh maybe they listed these companies that didn't even know they were government institutions you know there's so many victims you one has to suspect like you have to question are they actually researching every victim uh and and maybe sometimes they're just waiting for the media to report it and then then they just react based on that a little bit out of their depth on this thing uh and but then like a couple of days later they actually removed uh they actually moved off-com and com Bridge after people said that those are governments uh so yeah a little bit more interesting was you know some of the victims you know PWC shell massive massive companies and they've already started leaking the data um kind of an interesting thing about PWC is that clock's kind of like particularly particularly focused on them at the moment for some reason so you know even this week even yesterday or two days ago uh klopp actually created registered a dedicated domain with to host ewc stolen data um you know some people suspect this is probably because if you go to clocks tall leak site it actually takes like days or weeks to download any of the data yeah because their tour site is so slow it's like 30 kilobits a second to actually download anything from it if you're trying to download like 120 gigs you're just going to be there until you're dead so like you know they actually created this domain and started host things on the clear now obviously it's uh interestingly it's on a you know a Russian based IP maybe a little bit information about who the where the straight actors based um so people can actually start to download stuff a little bit faster it's not even that much faster um another interesting thing about clocks leak site is they go ahead and say you know they go ahead and share information about how to use their.net League site which is kind of an interesting thing for around somewhere going a lot you know 50 60 70 rational gangs that are sort of currently in operation um I don't think any of them have this on their league sites it's just cloth that sort of explains to people how to download the data so they're really focused on the value of this data and you know trying to make it worse for the victims the fact that they've uploaded it to their league site so monitoring a tour data leak site you know if you're a ctis or if you're just you know instant response you're trying to basically help them understand you know how bad the leak is okay maybe your domain's been added or maybe some files have been added you know how are you actually going to measure the impact of this attack what did they actually steal from the movement server did they get it all did they just get a little bit who knows um but you know how you actually do that is you know you navigate to the toranian service you know where you could use a burn a laptop or you could use a virtual machine or the VPN or you could RDP to Cloud BPS like all these different ways safe ways to actually go to a tool site uh and then just hit F5 and wait for more victims to come because they just don't stop coming um and you know or they can scrape the tour site using uh you know privacy basically find the url for the tour site you go to the HTML you look for the data locators uh and then you just save them as a Json or CSV you can load it into something like elasticsearch and then once you've done that you know if you're sort of proactively monitoring things for clients and things you can you know monitor for keywords in some of those leaks and some of that data uh you know basically be like hey your company name or brand name or whatever on other type of criminals probably going to download it so the craziest thing about this breach probably the reason why everyone in this room's probably heard of it is the fact that it caused third-party fourth party and fifth party breaches uh you know it seems everyone uses movement I mean it is the leading mft service in the sort of industry for mft providers and you know it's like vendors your vendors are impacted your suppliers are impacted your business partners are impacted if you just want organization even if you don't use move it you're going to be impacted in some way pretty much because you're yeah everyone that you're connected to likely used it or someone they connected to or they were connected to you know so vendors of suppliers vendors of partners partners of suppliers all this kind of interconnected Global Supply Chain basically so timeline of Co-op the timeline of clock so klop as a threat group is an interesting one to sort of look at because they you know they first appeared in about 2019 early 2019 as a variant of the crypto mix ransomware they did use the launch targeted intrusion campaigns so they used to sort of focus on a company uh go to the support form of reconnaissance access all this kind of stuff uh before they could actually steal data uh now you know they started by deploying ransomware traditional ransomware campaign and then they sort of Incorporated the double extortion like the other ransomware groups have as well um and you know they have connections to other well-known long-established cybercrime groups like ta-505 um you know sort of a partnership there of ta private five which is a prolific fishing for actor um and you know once again access then they would lead to the point of clock um and then in April 2020 they actually had the first victim listed on the top League side so they've kind of joined the bandwagon they've joined some of the other groups like maze or snatch or are people even at that point possibly of the whole thing of double Extortion data extortion um I think quite interestingly later in December they kind of that was the first time they decided they were going to ditch ransomware deployment and go for datejust Pure data extortion so just go for targeting file transfer servers so excelling on FDA file transfer Appliance steel data format you know discover a vulnerability exploit it steal file some data from it and then sort of Ransom them back to the victims everyone thought that you know it's a massive amount of people started being uploaded to the league side and they thought klopp had just gone and ransomed by deployed rattle against all these victims and you know then people started to realize that wasn't the case it was just pure data extortion kind of an interesting shift in ttps for this group at that point and they kind of continued with some of the data with the targeted intrusion around my deployment but actually you know they went on and basically carried on that tactic as well in parallel and now they pretty much dropped the tactic of targeted intrusions and now they are just doing data extortion which is quite interesting I'll I'll get to more on that later but yeah in June 2021 their money launderers were arrested as we saw Ukrainian cyber police lost it down the doors got the angle grinders out and broken uh and you know got all their all their money basically but the problem was that didn't really stop clock I think you know a week after that there were already new victims being added to the league site so that was just one component potentially connected to the ransomware group rather than you know they actually arrested Affiliates or rational operators or anything they weren't really technical offensive you know cyber threat actors they were just money launderers which is a shame but it did you know obviously would have caused them to cause some damage but you know they're still active [Music] um probably one of the more recent interesting developments was the fact that a Linux variant of clock appears so they are still interested in developing their ransomware uh actual actual like binary and malware to for deployment on on files and servers but they're kind of venturing out from traditional sort of Windows domains or get to domain controller