Background
As of August 8, roughly 600 organizations have fallen prey to a ransomware organization known as CL0P (TA505) whose latest extortion scheme involves the exploit of a zero-day SQL injection vulnerability within MOVEit Transfer, a Managed File Transfer (MFT) application developed by Progress Software Corporation. MOVEit Transfer is used extensively by organizations around the globe for the purpose of automated, secure file transfer and sharing. In their attack, the CL0P Gang leaves a ransom note on the MOVEit Transfer server and threatens to publish sensitive exfiltrated data on Tor if the ransom is not paid.
On May 31, Progress Software issued an advisory concerning this vulnerability which has been labeled CVE-2023-34362, and given a severity rating of 9.8 out of 10. Progress Software has since identified additional vulnerabilities and issued corresponding patches.
The latest data suggests that this MOVEit Transfer vulnerability has served as a catalyst for one of history’s most severe supply chain cyber attacks. The magnitude of this cyber attack is akin to the notorious SolarWinds exploit of 2020 and the Log4J vulnerability discovered in 2021. These events underscore the persistent and evolving threat of cybercrime, prompting a renewed focus on strengthening cybersecurity measures.
Severity and Impact of the MOVEit Transfer Supply Chain Attack
The known victims list of the MOVEit Transfer attack includes some big names in the financial industry and healthcare and insurance firms, as well as education and government institutions, with an estimated impact so far of roughly 35 million individuals.
A number of organizations who do not use MOVEit Transfer directly, but employ third party contractors or subcontractors who do, have also been compromised. It is also evident that the CL0P ransomware has infiltrated beyond MOVEit Transfer customers’ systems as downstream attacks have already been reported as a result of stolen customer or employee data.
While the CL0P Ransomware Gang has historically focused their attacks on the enterprise environment as opposed to Industrial Control Systems (ICS), this latest exploit has also impacted organizations including the energy giants, Shell, Siemens Energy, and the US Department of Energy.
Understanding the Attack Strategies Used by CL0P
CL0P, a variant of the CryptoMix ransomware family, is operated by a Russian-speaking group (Threat Actor 505) and employs sophisticated techniques to evade security detection. CL0P has a history of targeting File Transfer Applications (FTAs) similar to MOVEit Transfer. These applications are inherently attractive targets because they are used to transfer sensitive information. Notably, in 2020, financially motivated hacking group FIN11 deployed CL0P ransomware, exploiting vulnerabilities in the file transfer appliance of Kiteworks (formerly Accellion, Inc.) to infiltrate victims’ networks, deliver ransomware, and exfiltrate data. CL0P is also responsible for the breach of GoAnywhere MFT servers in early 2023.
CL0P’s operators started using double extortion tactics in 2020, and over time, their methods have become increasingly destructive. In 2021, they exploited a SolarWinds Serv-U vulnerability, leading to corporate network breaches and further ransomware delivery.
A Closer Look at the MOVEit Transfer Vulnerability CVE-2023-34362
The MOVEit Transfer application runs both on servers around the world as well as the SaaS (Software as a Service) version of MOVEit hosted through the MOVEit cloud system. Central to the MOVEit Transfer application is a database (running either MySQL, Microsoft SQL or Azure SQL) that is used to store information including user information, configuration settings, file and folder metadata, as well as audit logs.
The critical, zero-day vulnerability CVE-2023-34362 involves an SQLi-to-RCE (SQL injection to Remote Code Execution) flaw in the MOVEit Transfer web application, enabling an unauthenticated user to gain unauthorized remote access to the MOVEit server environment.
This can be accomplished through the deployment of webshells, or malicious scripts, on MOVEit servers to potentially attain escalated system administrator privileges. A crafted payload to a MOVEit Transfer application endpoint can then result in both manipulation or disclosure of the contents of the MOVEit database.
More specifically, webshell operators are able to interact with the MOVEit host by sending HTTP requests containing special header fields. In this manner, various operations can be executed by issuing commands that, for example, can:
- Access Microsoft Azure system settings, Azure Blob storage, Azure Blob storage accounts, Azure Blob keys, and Azure Blob containers.
- Enumerate (i.e. view and analyze) the underlying SQL database.
- Store a string sent by the operator, and then retrieve a file of the same name from the MOVEit Transfer system.
- Create a new account with admin privileges, with a randomly generated username and login. (Note that if the compromised Web server is rebuilt but the database kept intact, the CL0P user account will still exist and can be used for persistent system access.)
- Delete accounts of a specified name in order to evade detection.
Due to the nature of the exploit, the breached database, possible exposure of sensitive user and configuration data, and escalated privileges on the MOVEit application server, attackers may achieve easy and unfettered access to the MOVEit host. This provides the attacker a platform for widespread damage, including sabotage, espionage, data manipulation, exfiltration and leakage of sensitive information.
According to CISA’s Advisory, CL0P’s TTP (Tactics, Techniques, and Procedures) include the following patterns to expand the attacker’s network access and move laterally:
- Remote System Discovery (T1018) – CL0P actors use Cobalt Strike to expand network access after gaining access to the Active Directory (AD) Servers
- Remote Services: SMB/Windows Admin Shares (T1021.002) – CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity
- Remote Service Session Hijacking: RDP Hijacking (T1563.002) – CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access
What Does This Mean for Critical Manufacturing
While vulnerabilities similar to those discovered in the MOVEit Transfer application exist in the Information Technology (IT) environment, they can also put Operational Technology (OT) environments at risk. Such vulnerabilities provide attackers with more opportunities to inject malicious software into systems. Once an IT environment is breached, attackers may move laterally to OT environments within the internal network, causing collateral damage.
Malware or attacks that penetrate into the OT environment can have particularly damaging or devastating effects as actual physical machinery or operational processes may be impacted. OT environments are typically used to control and monitor industrial equipment and operational facilities, such as power grids, factory production lines, traffic control systems, etc.
We’ve noticed some key points in CL0P’s TTP (Tactics, Techniques, and Procedures) that should be of concern to the manufacturing sector:
1. CL0P’s MOVEit Campaign Ushers in A New Exploit Chain
CL0P has switched things up with their latest exploits and MOVEit activities, which could influence other cyber threat groups. Rather than deploying ransomware in the target environment, CL0P has simplified their ransom business model, focusing strictly on data theft, and using the stolen information for future ransom demands.
As industrial internet connectivity grows, today’s Operational Technology (OT) environments may contain Industrial Internet of Things (IIoT) platforms like GE Predix, Siemens MindSphere, or Rockwell Automation FactoryTalk. These platforms collect, process, and analyze equipment data for factories, also handling sensitive data transfers. This means that OT-targeting cyber threat groups can potentially set their sights on similar tools and launch zero-day vulnerability attacks to steal sensitive data including proprietary production recipes and trade secrets.
2. Exploiting Supply Chain Vulnerabilities
Attackers may seek out vulnerabilities in internet-facing applications, as these can offer direct access to Industrial Control System (ICS) environments or the ability to move into ICS networks. Online tools that scan the internet to locate open ports and services can discover these internet-facing applications. For example, the Sandworm Team has previously exploited vulnerabilities in GE’s Cimplicity HMI and Advantech/Broadwin’s WebAccess HMI software, which were directly exposed to the internet.
After initial access is gained, CL0P actors have been observed using the Remote Desktop Protocol (RDP) to interact with compromised systems. Concurrently, research from CISA indicates that CL0P actors will subsequently attempt to exploit Server Message Block (SMB) vulnerabilities to attack AD servers and engage in Cobalt Strike activity. These activities can create opportunities for threat actors to move laterally. This highlights the importance for companies to strictly limit the use of remote sharing and RDP services. For instance, organizations can require that authorized remote access solutions are only used from within the organization’s network, avoiding the approval of remote access solutions (such as VPN or VDI). They can also block inbound and outbound connections on ports and protocols of common remote access software or shut down unused RDP ports, and also record all RDP login attempts.
3. Cunning Ways to Remain Anonymous and Hidden in the System
Hackers often aim to establish or take over new accounts with administrative privileges in order to gain unrestricted access and execute whatever commands they desire within the system. The real name of the account may be set to something such as “Health Check Service” in order to avoid raising suspicion, giving the appearance of a legitimate, system maintenance-related account. Once the cybercriminals are done, they may choose to delete this account in order to cover their tracks and avoid detection.
Recommended Mitigations
Progress Software has provided patches for the original MOVEit Transfer CVE-2023-34362 vulnerability as well as additional related vulnerabilities CVE-2023-35036 and CVE-2023-35708. Those affected are advised to follow the recommended remediation steps according to Progress Software’s Knowledge Base articles and download the latest security patches directly from Progress Software as opposed to third party sites.
With the increased frequency and sophistication of cybercriminal attacks, OT environments must remain especially vigilant. A firewall breach or failure between IT and OT environments could allow IT vulnerabilities to bleed into the OT environment, posing a significant risk to assets and production uptime. Based on our extensive cyber defense experience in the OT space, we strongly recommend manufacturing and critical infrastructure operations to deploy and adopt an organized, streamlined vulnerability management process that includes segmentation, virtual patching, network monitoring, endpoint protection, and periodic security inspections.
Network Segmentation
Segmenting the network mitigates risk and contains the spread of both malware and unintentional commands by separating your ICS network topology into different zones, minimizing production line downtime as well as accidental misoperation. An OT solution should be able to implement segmentation immediately, without changing the OT network architecture or requiring costly network reconfigurations. OT-native solutions can establish protocol-driven policies, enabling them to regulate the types of commands that can be executed both entering and exiting the system, as well as among assets. TXOne’s Edge Series products can assist with network segmentation and segregation, dividing the network into distinct zones of control, even down to the cell level.
Virtual Patching
Virtual patching is especially important as many businesses still heavily rely on older legacy systems and equipment in the OT environment. TXOne’s Edge series of products allow you to integrate segmentation and virtual patching into the OT network without disrupting the production. TXOne Networks has prepared a rule set for the EdgeIPS product series. This set is designed to block potential attacks, preventing assets from being exploited by vulnerabilities:
- 1233015 WEB Progress MOVEit Transfer moveitisapi SQL Injection (CVE-2023-34362)
- 1233101 WEB MOVEit SQL Injection vulnerability (CVE-2023-34362)
- 1233067 WEB Progress MOVEit Transfer SILCertToUser SQL Injection (CVE-2023-35036)
- 1233079 WEB Progress MOVEit Transfer SQL Injection (CVE-2023-35708)
Network Monitoring
Clear visibility is crucial for strong ICS security. A centralized network monitoring and control solution such as TXOne’s EdgeOne can provide defense line management and clear visibility into all installed ICS assets, including their connectivity and security status, with real-time alerts and incident events. The ability to perform all node maintenance tasks from a centralized dashboard facilitates tasks such as managing and deploying different security policies or signature-based virtual patching, editing OT protocol trust lists, or deep analysis of L2-L7 networks by node group.
Endpoint Protection
A firewall breach or failure between IT and OT environments would allow IT vulnerabilities to bleed into the OT environment posing a significant risk to assets and production uptime. Endpoint security is vital for detecting malicious activity and ensuring the integrity of the network. TXOne’s Stellar Endpoint protection can detect abnormal behavior such as changes in the system or whether sensitive information is being transmitted. Stellar Endpoint Protection can also be integrated into the HMI or OT application server and lock down the function when abnormal behavior is detected. Trust lists are also pivotal to OT Zero Trust because they can secure both endpoints and networks alike by specifying what actions, assets, or applications are to be trusted while blocking everything else.
Periodic Security Inspection
One of the primary threats to the OT environment lies in external individuals, contractors, and assets. Therefore, it is crucial to audit new and foreign equipment before and during the time they are active in the production line, and even beyond the production line. Our Portable Inspector allows you to scan new devices entering the OT environment and detect what apps are installed on the asset and what internet ports are opened on the network.
Conclusion
According to IBM Security’s 2023 X-Force Threat Intelligence Index, the manufacturing industry was the most targeted sector for ransomware network attacks in 2022, and it also suffered the most severe ransomware incidents. When it comes to zero day attacks such as those surrounding the MOVEit Transfer vulnerability, the best way to combat them is prevention: eliminate weaknesses before threat actors can exploit them. When an IT environment is breached, however, steps can be taken to fortify OT security to maintain the integrity of the OT environment. Fundamentally, firewalls should be deployed and network segmentation implemented to halt the spread of potential vulnerabilities. In the event a cybercriminal manages to bypass a firewall, perhaps by escalating privileges, endpoint protection and detection will then become pivotal to protecting assets and avoiding outages.