Blog :: NDR

What is the MOVEit Vulnerability and How To Detect It

Analyst looking for the MOVEit vulnerability to prevent a cyber attack.

By now you have probably heard of a vulnerability in MOVEit or its use by the hacking group ClOp. This cyber attack is all over the news at the moment, with large government agencies and enterprises being affected by the MOVEit vulnerability. If you found this blog post, then you probably are interested in one or more of the following:

  1. What is all the fuss about and is it relevant to me?
  2. You are looking for education on what it is and why it’s a big deal.
  3. You have Plixer’s NDR solution, and you want to know how it can detect these threats.

Let’s start out with what all the fuss is about. MOVEit is a managed file transfer software product produced by Ipswitch Inc. Its primary function is to facilitate secure file transfers for organizations. But what it does isn’t relevant. What is relevant is that it is used by many organizations and is a web server… and that there was an unknown (what we call zero-day) SQL injection exploit that could be used to gain access to the server hosting it. The details of the exploit can be found in the National Vulnerability Database under CVE-2023-34362.

Obviously, being able to gain access to a server means you can start doing other bad things. And I’ll get to that soon. But let’s first address the “Is it relevant to me?” Well, does your organization use MOVEit? If it does, then it’s very relevant to you. You should head over to the vendor’s website and read up on remediation steps here.

Now, let’s dive into why this is a big deal and hopefully provide some education in the process. One word… “ransomware”. This MOVEit exploit has been used by a well-known cybercriminal group called “ClOp” which leans very heavily on ransomware and uses double extortion to extract money from organizations. Double extortion in this case is holding their data ransom with encrypted files and threatening to release sensitive data that was obtained during the cyber-attack.

So let’s walk through the current ClOp’s ransomware infection chain that leverages the MOVEit vulnerability. For ease of digestion and to allow reference later, I’ll break this down into steps:

  1. It starts with the (you guessed it) MOVEit vulnerability. This allows delivery of the LEMURLOOT webshell. A webshell is simply a shell-like terminal that is accessed via a web interface. Usually, a webshell is used to deliver other malicious software.
  2. In this case, the malicious software of choice is called Truebot. Truebot gathers details about the system it’s deployed on, including Active Directory details, desktop icons, and system processes. This is all transmitted back to the attacker’s command and control server. This gives them some intelligence on the infected system to help them circumvent security controls.
  3. They download another tool called FlawedGrace. This does further recon including details regarding local administrator accounts, keystroke logging, clipboard data, network configurations as well as remote system discovery to view additional hosts available to the infected system. It’s usually at this stage that they disable or take appropriate steps to prevent locally installed security tools from being effective.
  4. The next tool downloaded is SDBot. This will allow them to start collecting and exfiltrating data. This includes data on thumb drives and other removable media, network shares, and local storage. The data is exfiltrated using the established C&C channel.
  5. Another tool deployed is Cobalt Strike. This is penetration testing software and is used by many security groups to test networks for weaknesses. In this case, however, it is used for nefarious purposes. Primarily to gain access to other remote systems through RDP or LDAP and thus, further infect the target.
  6. Finally, the ClOp ransomware is deployed and when triggered, will decrypt key system files, and hold the compromised system and its data hostage until payment is sent.

That is the infection chain as it stands today.

So, let’s talk about how Plixer can provide an early warning system for this kind of attack. As outlined above, one of the first steps is establishing a web shell. These are shell-like terminals that originate from outside your organization. Plixer raises an alert whenever it detects a session initiated outside the organization, as this is suspicious behavior.

Alerting on command and control (C2) communication is another way that Plixer shows you something malicious is happening. By seeing all traffic, we can flag when communication to a known C2 node is seen. C2 nodes are updated daily, but you can also ingest your own via STIX/TAXII.

Since the infection chain involves discovery and lateral movement, there are a wealth of machine-learning detections that will pick up anomalous behavior. Everything from RDP, SMB, or LDAP usage to spread malicious tools to collecting and staging data before exfiltration.

Data exfiltration, too, is picked up. This is another great example of Plixer’s unsupervised machine learning at work.

The best thing about all of these detections, since Plixer is network-based, the attacker can’t circumvent it as they do with endpoint-based tools.

As you can see, Plixer’s NDR solution is able to alert you to the presence of ransomware and malware that attackers like ClOp use to exploit any number of vulnerabilities, including the vulnerability in MOVEit.

Are you interested in learning more about our Network Detection and Response platform or how our Machine Learning and security capabilities can better position you against these evolving threats? Learn more by booking a demo today.