I like to MOVEit MOVEit

uh hello everyone and welcome to my talk I like to moovit this talk is about the uh move with vulnerability and incident response cases I have been working with uh last summer as every good presentation this one starts with disclaimers so uh first of all if I say something stupid that's me not Accenture so you can purely blame on me uh the other thing is that uh me I don't want to like engage any kind of victim shaming so I'm going to talk about the victims of this uh vulnerability and Club run of recruit so uh not going to shame them uh they were purely WIC thingss on this case and then of course I'm using Madagascar themed

pictures which I have uh taken from b& Wing um all of the rights of the pictures of course uh belong to the DreamWorks and I don't own own them so few disclaimers before we start so first of all I'm going to introduce the narrator of this talk which will be me and uh like I said my name is y um I've been working uh in digital forensics inent response for 10 years currently working for action as a security Consulting manager uh I'm responsible for Rita team uh this R team is uh comes from the works uh rapid intelligence and tactical analysis so we're basically doing uh mware analysis uh threat intelligence intrusion analysis uh on the engagements accent is

dealing for their clients uh well someone mentioned that they don't have C cissps uh I have few of them like uh few few certifications I've done during the years and I'm also actually uh doing conferences in Finland so if you're ever planning to travel to Finland please join this oay which is hold in uh February every year it's a super nice and co uh conference around 2,000 people attending and it's quite cheap 50 or 70 something for the ticket all righty uh so to the actual story so the bad guys who are the bad guys uh behind the uh story I'm going to present you today they say themselves that they are uh top organization offering penetration

testing services so this is what they State on their website uh well on the uh tour uh Network site but uh I wouldn't fully agree on that so originally they were a ransomware group so they were installing rware uh on the Enterprises and they they have been been around for a while they were first seen in 2019 so 5 years ago they started their operations um this is purely a financial motivated group um and they are linked to Russia and Ukraine and other six countries in the Europe so individuals living in Russia Ukraine of course the Russian government allows uh this kind of cyber criminality in their country so which makes easier to operate if you don't Target CIS country

countries organizations operating in CIS countries majority of their victims are in the US and later on I will tell where the victims of the move with vulnerability uh case where and and this is important to remember that the majority of the Glo victims in general are in in the US so I said that they were originally a run Group which is interesting because nowadays their operation model is a little bit different uh they have been using vulnerabilities just to steal the data they haven't uh lately been uh deploying the rware they don't do the double extortion where you steal the data and then encrypt it and then extort for decryption and also not leading the

data publicly available so this is interesting they are only stealing Deb and we will come back later on in this presentation for this next one the en enabler so like I said move it uh is a is a software uh that had a vulnerability last year and it's an MFD uh software first time I came across with the MFD in this context I was a little bit confused because I have background in digital forensics and in digital forensics usually MF stands for something totally different but this time as and in this presentation if I'm referring to MFD I mean the managed file transfer service the software itself looks like this so it's basically uh this kind of

like web based Enterprise tool for transferring data from site a to site B so just to enable uh for example uh different locations of the Enterprises to uh share data with uh themselves and also uh in the cases uh we saw many uh corporations were using this software to get data from their clients and Subs Diaries uh to the main corporation so there was quite business sensitive information transferred using this service this software was originally released in 2002 so it's been a while and uh you can actually install it on on the cloud or on premise and all the cases I was dealing with were actually on premise installations and the uh move it or

progress uh themselves say that this is used by thousands of organizations globally which I don't fully agree uh based on the San shes I run and there is like uh around uh 1,600 instances uh open to the internet and as we can see most of the instances are in the United States and then but then followed by UK Germany Netherlands Canada and some other countries as well in the Europe so like I said majority of the club victims in generally are in the US but so are majority of the uh movid users in the US as well so let's move on to the victims so who were the victims of this Campa first of all I want to say that this I I think

this is overused quote by John Chambers but uh I think it actually fits this case quite well so there are two two kind of companies those that have been hacked and those who don't know that they have been hacked and I still believe that there are many companies that were using mve it but they don't know that they were actually hacked by CL what we saw last year when the vulnerability came out many companies uh started patching uh their services and they patched like one week after the uh release of the vulnerability the uh sad thing is that klopp actually used the vulner uh the exploited the vulnerability like uh straight away when it was released and

they already stole all all of the data when the company started patching as they stole lot of data it's if if you have ever done eisc Discovery you know that if you have one of data it's hard to go through what what do you actually have and klopp were quite good at it and they started extorting the companies who are high value targets and I believe that there are still smaller companies who have been uh who have been compromised using this vulnerability and all of their uh data stored in the movie has been stolen but they just don't know about it yet but yes well the detection detecting this kind of stuff is hard we all know uh so

basically This falls to the category where Klo themselves is letting the company know that they have been compromised So This falls to the external parties uh uh uh uh notification for the for the companies and all we as as we all know that doing incident response dealing with this kind of cases is is quite expensive so like uh the uh total average cost of of incidents like this is is in the Scandinavia only $2 million so who were the victims Club is uh nice uh that way that they actually release uh all of the all of the victims that don't pay so it's easy to follow which kind of companies and in which countries where where

Fallen to this case uh there are super big companies you can find I think three of the four force from the list so and I to be honest I wouldn't be surprised if I would see Accenture one day there because like many companies use these kind of solutions MF Solutions not specifically the uh mov it but some others as well and uh on this list we can see 251 victims so quite many companies fall to this uh vulnerability and I will shortly tell you why they were not able to defend themselves for this case previously I showed where the mve it is actually used and and uh quite quite uh uh the the uh victims on the list are

actually following the same structure so most of the victims were in the US on the list I just showed to you and some victims uh followed by UK German Netherlands Canada so basically they're uh they were using uh the exploitation like uh they weren't targeting any countries they were just like doing scanning the internet and owning all the services they were able to do it and also if if we look at the uh which sectors the companies who who were victims of the club are working on uh this also supports the theory that this wasn't even targeted to anyone this was just basically opportunistic way to compromise compromise different uh companies working in different Industries

so to the actual storyline what happened so the cve it's a SQL injection vulnerability and it was released on uh last day of May last year on the 1st of June uh CVS was requested for the uh for the vulnerability and actually huness uh isit response company Huntress released quite good blog post on the 1st of June where they told told what kind of stuff they have seen in the in the exploit in this vulnerability and second of June uh the CV was published so let's remember the fact that uh on on the last uh 31st of May last year the uh mov it said that they released fixes to all supported versions so it was last day of May and as if you

know in the Enterprises it the like patching and fixing stuff is is not that straightforward you straightforward usually so you need some kind of like uh change management process where you test actually the patches before you deploy them even even though that they would be like emergency patches so it takes some time in in the real world to update things so Klo basically scanned for the vulnerable vulnerable movie servers and when they found one they exploited it uh using the vulnerability the SQL injection and uh installed this kind of human 2. ASX uh uh back door to the system then after that they actually used the uh back door to create a user session so legit user session there and

using that legit user session they stole all the data which was stored to the mve it instance back in the uh May and June there was no public exploits for this vulnerability but later on uh last summer I think end of the summer Horizon AI released a a public exploit on GitHub so I went through the uh public exploit and what what it does so basically uh followed up which kind of requests it sends to the uh mov server and as you can see here it's not like single request pwn it re requires many steps uh so that you can you can actually use the vulnerability so I I wrote down them on the right side

of the slide and then went back to the incident data we saw and compared if we can see this is from a real incident so which kind of like exploitation chain we saw on the locks uh for the for the uh movid [Music] server and uh as we can see there are lot of uh similarities with the uh public exploit so uh highlight it here we can see that uh most of the requests appear uh on the locks we were able to capture uh from real case and then there's of course few of them uh which were not on the public exploit and I have hypothesis for this as well so first of all uh the first

might be like checking if the instance is actually vulnerable to this CV so they were making sure that the uh uh the uh victim has not done any kind of like uh quick fixing there and then the other one was uh SQL injection and and hypothesis was that it was used for uh cleaning up the database so we saw that many of the uh SQL for example we didn't even though that the service had query locks enabled we couldn't see any any like SQL injections in the in the quer loocks so there was some kind of like cleanup done by the uh threat actor uh during the incident or after exploiting successfully the vulnerability then after that we can see

uh post exploitation activities so uh basically they were using the vector uh they just installed and then accessing the vector uh which is explained next what it does and then uh after some time uh they started the exfiltration and one thing I want to highlight from the locks as well is that exploitation started here uh on the top of this of this uh list and the xil exfiltration started at the bottom of the of the list so it took only 4 and a half hours from the uh initial exploitation to exfiltration and that's quite fast if you think about or detection and response capabilities who can say that we have a sock that can respond to incidents in 4 and a half

hours I think no one so the back door and uh so it's a human 2. ASX and it's it's not a web show um when this incident was released when when when we like saw a lot of public uh blog posts about it people were saying that this is a web show well to me webshell means some kind of shell that you can use to execute shell comments on on on the system but this wasn't that kind of thing this was targeted only for move it uh software so uh it's waiting for HT HTTP requests and uh when it gets one it will check the value of x Silo commment HTTP header and this HTTP header includes um

contains a string uh which is used as a password so if the password is correct then it will proceed with the execution but if the uh password is wrong it will return 404 not found to the requester which makes it hard to uh identify compromised services in the internet basically usually when we see big campaigns where threat actors are using web shells and using web shells with static password it's easy to scan them um I was working before I joined ainger National cyber security Center of Finland and when we for example saw some big vulnerabilities coming up uh we were uh allowed to scan finish networks to see if if we can see some compromised

services and when the attackers were using static passwords for their web cells we were able to identify which servers have been compromised but now in this case klopp was using unique passwords per clients so we didn't we identified multiple uh of our clients had had this webshell on their mov server but uh none of them had the same password on the web shop well in the back door so it makes it impossible to scan internet to find these vulnerable uh compromised servers so basically if the password matches then uh it will continue the to The Next Step which is checking the xlock step one HTTP header and this header has either uh minus one minus two or null value so

it's it's it might be empty or it might have uh two options and depending on the on the options it will decide next what it does and uh if if the value is minus two it will delete health check Service uh user account well he check service is the login name but the user uh name of the account is is a random string and uh if if it's a minus one then it will try to get the uh assor plop storage credentials from the system and lists all of the files that are stored to the uh stored to the move it and sends them back to the attacker if the value is neither of them then it

will uh continue to The Next Step which is checking the value of xilog step two and step three which are file name and file folder and if if these are present on the on the uh headers it will deliver file content of that specifi specific file that is specified in the step two and step three uh H headers so it's used to steal only one or two files from the system uh not all of them and then there's the the one was used the most which we saw the attacker using which was the uh checking if there are active privileged user accounts listing all of them if if there is uh if there is user accounts if there is it

will create the session for them and return it to the attacker and if not it will create the user account privileged user account with the login name health check service which uh the webshell or the factor can uh also delete from the system and when they were using this uh option and there was privileged user accounts it was using the lowest uh like the first created user account so for example in the uh when we got engaged with these incident response cases uh it was usually like some admin who had set up the system in the first place and they were of course blaming that some internal threat is still in their information even though that but they

were not uh they they didn't know about the vulnerability but they saw that someone someone has downloaded all the files to Russia or some other other country one of the IPS was hosted in Russia actually actually so and one one of them was in Canada so what can we learn from this case so what can can you do to prevent yourself getting caught by this first of all many of the victims already had a plan they had a plan they had a sock they had in response teams but they still were affected and they couldn't defend themselves so what should be done what should be improved so first of all let's look at the Timeline 28th of May Recon I have seen

uh cases where there was Recon before as well but uh at least on the cases uh I dealed with I I I didn't see any uh activity from known Club related IPS to this service Services before uh 2th of May minutes after the uh Recon they started the exploitation and then hours after the exploitation like I said four and a half hours in the one case they started the exfiltration and then days or weeks after the experation they did the extortion part so guess where the patch was released which phase of this one anyone so here so after the exfiltration the P was released so how would the victims how how could they have protected

themselves so conclusions the first and foremost is is that patching vulnerabilities is not enough when the vulnerability is disclosed and the patch is disclosed your data may have already been compromised you need to do some kind of compromise uh compromise assessment always the another thing is that threat actors May shift from from rans overare to extortion only operations which is kind of interesting for the uh organizations usually when you see Ransom note on your desktop it's a clear sign that you have been compromised what if in the future the first thing you see is an email from the threat actor that by the way we have stolen all all of your data and you have 24 hours

to pay us this will change the game quite a lot and we have seen ransomware operators doing this other than Club as well in the past six months and then the third one use best practices let me repeat managed file transfer service not not manage file storage service why would you store your information there it's meant for transfer only and there were data from years back in the victim's mft installation they are meant for transferring the data not for storing that I think my time is up so thank you very much uh for listening and uh I'm sure if we have time for questions we do all right