image of breaking badness
Breaking Badness
Breaking Badness

170. MOVEit on Up

Coming up this week on Breaking Badness: It’s a Zero-Day in the Neighborhood, I Like To MOVEit MOVEit, and Gold, Guidance, and Grievances.


Here are a few highlights from each article we discussed:

It’s a Zero-Day in the Neighborhood

  • Hackers have exploited an unpatched zero-day vulnerability in Cisco’s networking software to compromise tens of thousands of devices, researchers have warned
  • What exactly is IOS-XE
    • Right before Apple took over the space in our brains on what IOS is, Cisco had IOS running on switches and routers – IOS is their flavor of Linux
    • Cisco discovered a vulnerability in their Web UI that sits on their IOS that allows attackers to login to the web UI and create a user for themselves with highest permissions – and that was really big
  • What are the ramifications of this vulnerability?
    • At first, the stuff the attackers were doing wasn’t memorable and a reboot could kick them out, but unfortunately there was another zero-day that was chained into this attack that allowed them to leave behind a bit of malware that does give them a more persistent level of access 
    • In the Talos blog, it says they picked up this activity in mid-late September and came back to establish more persistence – someone discovered something and decided they didn’t have the right tools, but came back with those tools
    • But a patch was released 10/22
  • Who is the main target for these attacks?
    • For Cisco, their main customer base is enterprise networking gear, but we’re not sure how many had a web-facing UI that wasn’t locked down because that seems like the thing to do 
    • The folks impacted seem to be those running this at home and not enterprise clients, but it’s still early in the investigation 
    • They had a vulnerability and attackers just throw everything they’ve got at it because access windows could be limited with patches, so they likely went more broad with the attack because they could 
    • However as of 10/23, there’s speculation the number of victims isn’t as bad as initially thought 
  • What else can customers do for mitigation?
    • Don’t put a web UI on the public Internet :) 

I Like To MOVEit MOVEit

  • The Clop ransomware gang continues to develop its ransomware tied to secured managed file transfer software
  • We haven’t discussed MOVEit on the podcast at length yet, so we’d like to share a brief summary of what’s going on
    • Clop (or Cl0p) is a group we’ve talked about occasionally in the past, as one of the most prolific ransomware variants out there; Mimecast estimates that they’ve netted some 500M and counting. It was first discovered in 2019, so that’s not a bad haul for 4 years’ work, except of course morally it’s a terrible haul
    • They are big game hunters—they seem to go after the larger organizations, so they don’t necessarily make the top of the ransomware billboard charts in terms of numbers of victims—they just tend to get a lot per victim
    • Clop is a variant of CryptoMix Ransomware which, when it encrypts data on an infected host, adds a .clop extension to the encrypted files. Its name, charmingly, comes from the Russian word “klop,” which means bedbug
    • One of the more sophisticated aspects of Clop ransomware is that it attempts to disable Windows Defender and to remove the Microsoft Security Essentials. This helps Clop covertly infiltrate the victim’s system, though it does potentially then make itself more visible since it is possible to notice the absence of Windows Defender, if you have other security tools besides Windows Defender on that host (which is not that uncommon). Still, you’d rather not find this out AFTER the files have been encrypted
    • As for MOVEit, we realized that we haven’t talked about this, which was one of the larger stories over the summer and is continuing to prove pretty troublesome here some four months after the vulnerability was disclosed
    • MOVEit Transfer, which is not the only MOVEit application but which is the only one affected by this, is a commercial managed file transfer software app that enables the secure movement of files between organizations and their customers using SFTP, SCP, and HTTP-based uploads. At the heart of the vulnerability is a SQL injection that could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database
    • The bad actor could submit a specially crafted payload to a MOVEit endpoint which could result in modification and disclosure of MOVEit database content, and from there onward toward privilege escalation. There’s a web shell that’s been commonly deployed, but basically anything can be deployed once the system’s been compromised. It’s a pretty major issue and even though a patch has been available since that disclosure was made, the number of compromises we’re still seeing tends to suggest that a lot of users still haven’t patched their installations
  • Here are a few other recent examples of file transfer tool vulnerabilities
    • Rapid7 has done some great research on this. Ron Bowes from Rapid7 said that he was going to “shake the tree and see what falls out,” said tree being looking at various MFT vendors (that’s that managed file transfer thing mentioned earlier)
    • Some of what he found was these three: Fortra Globalscape EFT Server, which had four vulnerabilities including one with remote code execution, although that particular one appears to be difficult to exploit
    • Then we’ve got JSCAPE MFT which sports a Java deserialization vulnerability that would allow an attacker to take full control of the software, including stealing stored data. And then we’ve got South River Technologies Titan MFT and Titan SFTP with multiple vulnerabilities, although with those there’s a bit of a mitigating factor in that they all require a user to first authenticate and also only work if the software is being used in a non-default configuration—so that last one is not a major issue in the grand scheme of things. But it’s clear that MFT as a category is not as secure as one might hope, considering what it’s doing—moving files around, and typically with a publicly-accessible endpoint
  • How are security researchers trying to outpace the attackers?
    • That work from Rapid7 is a great example of what’s being done, but he’s not the only one, since the MOVEit bug got so much attention. Another example, and this is also mentioned in the article that we’re linking to, is the Australian cybersecurity firm Assetnote, which alerted Citrix to a critical vulnerability in the ShareFile storage zones controller in its cloud-based secure file-sharing and storage service known as Citrix Content Collaboration. These applications are rightly under a lot of scrutiny, not in the sense that they’re inherently bad, but just because the stakes are so high
  • What about the efforts to eliminate flaws specifically as they relate to the four Clop campaigns?
    • Well, as so often is the case, the number one thing that everyone needs to do is to patch these things. All of those MFTs that we’ve talked about so far have patches out, so the good news here is that the vendors are being responsive
    • Now, it does have to be said that while the MOVEit vulnerability was disclosed this past June, there’s some evidence according to Kroll that it had been exploited as early as May of 2021—two years earlier. But at least now there are patches out for these things so everyone needs to, as the expression goes, do the needful
  • What are the “good cyber hygiene practices” users of secure file transfer products can use to defend themselves?
    • As a user, one of the things you might want to look for, and ask your IT department about if you don’t see it, is a separate authentication layer outside of just authenticating to the MFT application itself
    • So to explain how this might work, many firewalls or dedicated access control devices require that you first authenticate to them before you are then able to access the applications that are hosted behind them
    • We REALLY hope organizations aren’t just exposing the MFT endpoints with no firewalling in front of them. Another option is to use a corporate VPN to access these things, but then again we’re back to the admins rather than the end users taking care of that. So as an end user, yeah, look for that additional layer of authentication and make noise about it if you don’t see it

This Week’s Hoodie/Goodie Scale

It’s a Zero-Day in the Neighborhood

[Taylor]: 4.47/10 Hoodies
[Tim]: 3.5/10 Hoodies

I Like To MOVEit MOVEit

[Taylor]: 2.667/10 Hoodies
[Tim]: 4/10 Hoodies


That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!