Webinar Replay: Lessons Learned from 50+ MOVEit IR Investigations

Organizations were not able to prevent data exfiltration. They were only able to catch it early and then mitigate the threat.

When the threat actors used the second method for data exfiltration a lot of times, they would take that data, compress it on the MOVEit server and then send it out. For the data exfiltration, the open session was fire and forget; they literally pointed at the directories and said, "Go.” The MOVEit server itself handle that data exfiltration, and it became a one-to-one broadly across the 95 percentile exfilteration method. It was a one-to-one replication from the MOVEit server up to CLOP’s cloud storage.

So what we saw was when the threat actors use the second method, a lot of times that they would actually take that data, compress it on the MOVEit server and then send it out. For the data exfiltration, the open session, really it was a fire and forget, they literally pointed at the directories and said, "Go." And just let the MOVEit server itself handle that data exfiltration. And so it really became a one-to-one across broadly across that 95 percentile, we just saw it was a one-to-one replication from the MOVEit server up to Clops cloud storage.

That is one of the key takeaways; data that has been transmitted or transferred or up for a duration of time should be removed from the data server. Proper data pruning is something that can reduce that risk.

During investigations when we analyzed the database, we could see which data had been transferred. We did not necessarily investigate which data had been transferred and which data was stored, the goal was to identify data at risk. I can say that some of the data that we saw in the service did go back for quite some time and probably would have expired out of a portal if there were some policies in place.

Endpoint detection response (EDR) is not going to prevent a zero day where threat actors leverage the infrastructure in place to execute an attack. However, EDR is quite good at catching and identifying that activity early. Organizations that had EDR or Managed Detection Response (MDR) were able to identify that suspicious activity and then were able to transfer and cut off that activity.

One of the activities that we saw them catch was the web shell. When a web shell drops and is called, that web shell is compiled into a binary DLL (Dynamic Link Libraries) on that server and that is executed from there. So, EDR tools were able to catch the execution of that DLL as an executable.

MOVEit is an application that is approved for government use and uses encrypted data at rest. So, the files that are on the MOVEit server are encrypted and have a private key that is stored in the MOVEit database to decrypt that data.

In the MOVEit server, when there is a session and someone logs in and says, "Transfer me this file." The file is taken, the MOVEit application decrypts that file, and it sends the user the decrypted file. The threat actors had to know the API calls to be able to do that manually, but they discovered that by letting the MOVEit application do all the decryption for them, they could get that data out quicker. If there was some other layer of encryption, it would help in minimizing the impact.

E.g., If you took a file, wrapped it in your private key, stored it on the MOVEit server where it was encrypted with the MOVEit server's key and transferred that data, then yes, the client would get it in its encrypted state. However, you would have to transfer the key to the client to be able to decrypt that data. However, that's above and beyond what you would consider normal or expected.

Customers that had EDR/MDR were able to identify and react quicker than the teams that did not. This attack happened over Memorial Day weekend, so you have a lot of teams that are disengaged, a lot of teams that are spending time with family or a lot of teams that have a skeleton crew.

Even though the team is away, the employees that had MDR and a 24-hour monitoring Security Operation Center (SOC) that would respond to alerts were the ones that they were able to identify it, react, be able to quarantine and isolate that server and take that server down, however, they chose to respond. So, even though CLOP got all the way through to mission execution and started exfiltrating data, teams with MDR/EDR saw a lot less data leave their environment than the teams that didn't have MDR/EDR in place.

The MOVEit application has two components: one is a backend database component, and the other is a frontend web server; those are the two pieces that we were able to pull at Kroll. When we do MOVEit analysis, we would grab the server or grab a backup of the database and then grab the actual frontend web server.

In 2021 when we got a hold of the web servers, we were able to see a lot of failed requests to different .aspx files which were not guest access .aspx, meaning threat actors are looking for the ones they can access, and we see them trying to get in a lot of different types of .aspx files, a lot of JavaScript calls. They were calling them in a lot of different ways. All the normal ways that we see threat actors doing this except the source IP addresses. Looking backwards, we were able to see that those IP addresses were connected to CLOP even though at the time it just looks like the normal internet-scanning that you see broadly whenever you attach a device to the internet and has an open interface, it's going to get some type of scanning, probing, type of activity. Looking backwards, we could identify those IP addresses and realized that that was CLOP in 2021.

By April 2022, what we saw was threat actors calling guest access .aspx and passing in a very specific variable that was very consistent with the CLOP gang. The actual exploit is a chain of six calls that gets them what they want, and by April 2022, we saw the threat actors calling the first couple of calls and then getting, returning the organization ID.

From April 2022, all the way up until the MOVEit attack, up into a week or two before the attack, we see them using the same technique. They were likely testing and developing their automation scripts for making it all work and then really on the 27th was when we saw them gain access, and then leverage that access across the board. That's really when we saw them using it broadly.