In Q3 2023, PwC’s Dark Lab responded to two incidents derived from exploitation of the zero-day vulnerability in Progress’ MOVEit File Transfer solution. Whilst exploitation of the zero-day is widely associated with Cl0p, deeper inspection of our second incident indicated another player was at hand.
PwC’s Dark Lab have been closely monitoring the mass exploitation of the MOVEit file transfer solution, responding to numerous incidents initiated via exploitation of the zero-day MOVEit Transfer and Cloud vulnerability,
CVE-2023-34362. The mass exploitation has been widely associated with the Cl0p Ransomware-as-a-Service (RaaS) group, due to their discovery of the zero-day and large-scale, opportunistic campaign impacting over 260 as of 1 August 2023. However, per our incident experience, we observe other malicious actors opportunistically leverage publicly available Proof-of-Concepts (PoCs) to infiltrate vulnerable MOVEit victims.
We release this blog post concurrent to Cl0p’s ongoing campaign to highlight PwC Dark Lab’s key observations through our incident experience across two MOVEit-related incidents, the first attributed to a Cl0p RaaS, and the second highlighting the opportunistic exploitation by other, less sophisticated cybercriminal actors.
Case Study 1: Cl0p’s Mass Exploitation of the MOVEit Zero-Day
In the incident responded to by PwC’s Dark Lab, a Cl0p affiliate conducted a single extortion attack, exploiting
CVE-2023-34362 and subsequently exfiltrate data directly from the MOVEit file transfer server over a 24-hour period of the initial infiltration. Based on our continuous monitoring of Cl0p’s campaign and their evolving techniques, we posit that the group’s next mass-exploitation campaign will remain significant in scale and speed, though will further enhance in sophistication as the group leverages the learnings from their ongoing campaign to improve operational efficiency by exploring means to better categorise compromised data.
The MOVEit File Transfer zero-day SQL injection vulnerability (
CVE-2023-34362) has been actively exploited by the Cl0p Ransomware-as-a-Service (RaaS) group since at least 27 May 2023 to deploy the human2.aspx web shell and subsequently exfiltrate data from the compromised MOVEit server.
Based on our incident experience in alignment with open source intelligence, we observed in alignment with open source intelligence (OSINT) that Cl0p’s MOVEit campaign to follow the following kill chain:
The malicious actor exploited
CVE-2023-34362 to bypass authentication and successfully infiltrate the compromised MOVEit server. This is evident by the malicious actor’s activities to deploy and use a web shell to interact with the systems from the external network. Through analysis of the inbound IP addresses, we observed (
5.252.190[.]0/24) to have a known association with the Cl0p RaaS.
Post-infiltration, the affiliate was observed to leverage the web shell to access the stored data in the application database of MOVEit application, and eventually obtained a privileged administrator account.
Persistence and Execution
Consistent with open source reporting of the Cl0p MOVEit campaign, the Cl0p affiliate deployed the
human2.aspx web shell on the compromised MOVEit system.
Collection and Exfiltration
Less than twenty minutes after the web shell deployment, the privileged admin account was leveraged to download data from the MOVEit server. Concurrently, a spike in outbound network traffic was detected at the perimeter firewall. Through data exfiltration analysis of the firewall logs, our incident responders ascertained the file size and nature of files (e.g. file name and extension), validating the spike to be indicative of the time of Cl0p’s data exfiltration to an external IP address.
Approximately two weeks after the data exfiltration, the victim was listed on Cl0p’s dedicated leak site “Cl0p^_LEAKS”, with compromised data leaked twelve (12) days after the victim was published. This contradicts Cl0p’s announcement post, as per Step 6, the group state “After 7 days all your data will start to be publication”.
Cl0p’s Victimology and Data Leakage Trends
As of 1 August 2023, we observed:
- 262 victims listed (15 removed, potentially indicative of the victim’s compliance with Cl0p’s demands)
- Of the 262 victims, 94% had their data posted by Cl0p on their dedicated victim pages, with approximately 6% of those victims experiencing multiple leaks – up to six (6) parts
- Cl0p repeatedly deviated from their self-assigned 7-day deadline – for example, on 11 July it was observed that three victims newly listed on 10 July had already experienced their data leaked. This is in contrast to the incident responded to by PwC’s Dark Lab whereby data leakage occurred twelve (12) days after the initial victim leaking, suggesting they likely encountered challenges with the large amount of data concurrently received in a short time frame, and hence may have experienced backlogs in sifting through and identifying meaningful compromises.
- From 10 July, we observed Cl0p update their dedicated victim pages, adding a new section ‘Some secret information files’, inclusive of screenshots compromised files allegedly obtained via their exploitation of the MOVEit vulnerability. This indicates Cl0p’s adaptive nature, likely as an attempt to apply added pressure to victims to entice them to meet ransom demands.
Based on the victimology of Cl0p’s ongoing MOVEit campaign, we assess their targeting to be opportunistic in nature, as reflected in the distribution of victims across multiple sectors and geographies. However, we observe approximately 65% of total disclosed victims are based in the United States which is consistent with OSINT location distribution of MOVEit servers observed via passive scanning, the United States makes up approximately 72% of total Internet-facing MOVEit instances.
Whilst likely opportunistic, we also observe a potential alignment to trends that RaaS groups with Russian-links are electing to target Western-allied nations. Though RaaS groups and cybercriminals are opportunistic in nature, heightened targeting of Western-allied nations in 2023 suggest the impact of the war and allegiance potentially plays a role in their actions. As such, Cl0p may have intentionally shortlisted the MOVEit file transfer solution for their mass exploitation campaign based on the location distribution of MOVEit servers, observing the solution to be predominantly leveraged in Western-allied nations.
Further, it should be noted that this campaign is not the first instance of Cl0p targeting file transfer solutions. In February 2023, Cl0p was also responsible for the mass automated exploitation of a previous zero-day vulnerability within a third-party file transfer product, Fotra’s GoAnywhere Managed File Transfer (CVE-2023-0669). Prior to this, the threat actor also claimed responsibility for another mass exploitation of another file transfer software in the form of multiple CVEs impacting Accellion File Transfer Application in 2020. Given Cl0p’s historic targeting of file transfer software, and consistencies observed across campaigns, we posit that Cl0p will continue to opportunistically seek and exploit zero-day vulnerabilities in file transfer solutions, given their storage of sensitive information.
Furthermore, we observe via OSINT that multiple organisations were compromised by Cl0p despite not leveraging the MOVEit File Transfer solution in downstream attacks following the compromise of their third-party contractors’ MOVEit application. This highlights the impact of third-party risks, as we observe via our incident experience and OSINT that threat actors are continuously seeking opportunities to expand their victim targeting to maximise efforts (e.g. infiltrating new victims via compromised valid vendor accounts).
Case Study 2: Not the Only Player Making Moves
As hypothesised in our Forecast of the Cyber Threat Landscape blog post, we observe via in this incident as well as our continuous monitoring of zero-days and actively exploited vulnerabilities, that threat actors are rapidly weaponising Proof-of-Concepts (PoC) and exploit codes upon their availability to compromise temporarily vulnerable systems.
Upon the release of a PoC for CVE-2023-34362, PwC’s Dark Lab hypothesised that the vulnerability would swiftly be exploited by other opportunistic threat actors, given the ease of exploitation and ability for an unauthorised remote attacker to gain unauthorised access to potentially sensitive information stored in the vulnerable MOVEit instances. This was observed in a second incident responded to by PwC’s Dark Lab, which displayed multiple inconsistencies with Cl0p’s typical attack path.
In this incident, the victim’s MOVEit servers were subject to vulnerability scanning by a suspected Cl0p affiliate, based on the use of IP addresses with known association with the Cl0p RaaS group. However, no further actions were observed to be conducted by the Cl0p affiliate following their exploitation attempts (e.g. no web shell deployment or data exfiltration).
Two weeks later, a separate malicious actor (46.3.199[.]72) was observed to perform brute-forcing and argument fuzzing to attempt exploitation against the victim’s MOVEit servers. Post-exploitation of CVE-2023-34362, the threat actor performed unauthorised account and folder creation, shortly followed by folder and account deletion, but was unable to deploy malware or proceed with their attack.
Based on our investigation of the available logs and comparison against Cl0p’s known known attack path per our first incident and also aligned with the OSINT described in the overview, we assessed with high confidence that the incident was performed by an unsophisticated financially-motivated cybercriminal actor executed the cyber-attack against the victim using a publicly available PoC.
To validate our hypothesis and remove potential biases, we leveraged the Richard Heuer’s Analysis of Competing Hypotheses (ACH) methodology.
|Evidence||Description Related to Incident||Credibility||Relevance||Evidence Type||H1 – Cl0p affiliate that is financially motivated||H2 – A sophisticated threat actor motivated by political or social cause||H3 – An unsophisticated financially-motivated cybercriminal actor|
|Use of MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362)||We observed via review of the IIS logs that this vulnerability was leveraged to achieve initial access.||High||High||Secondary||Consistent||Consistent||Consistent|
|MOVEit Transfer vulnerabilities are relatively easy to weaponize given publicly available Proof of Concepts (PoCs)||We observed via OSINT the availability of multiple PoCs, indicative that threat actors are weaponizing the exploit. Whilst we did not attempt to validate the effectiveness of the PoCs, the fact there are POCs available on the open source suggests that threat actors of lowered capability can weaponize it.||High||Medium||Dark Lab Assessment||Consistent||Consistent||Consistent|
|IP address 46.3.199[.]72 and its related IP addresses are related to Cl0p and affiliates||We observed that the IP addressed utilized to achieve successful initial access was not attributed to Cl0p affiliates, based on various OSINT reports.||Medium||High||Primary||Inconsistent||Inconsistent||Consistent|
|Capability to perform SQL injection||We observed via review of the IIS logs that the threat actor had sought to perform SQL injection.||Medium||Medium||Primary||Consistent||Consistent||Consistent|
|Use of automated tools within Burp Suite (e.g., Repeater) that indicates brute forcing, fuzzing and crawling||We observed from reviewing the IIS logs that the threat actor had likely leveraged Burp Suite to perform standard SQL injections. This is based on the review of production server’s IIS logs in which we observed the User-Agent content to be similar to Burp Suite’s Repeater feature. Meanwhile, review of the testing database logs revealed that the threat actor performed around 800 actions within a short timeframe of 40 minutes, with some just 0 or 1 seconds apart, with parameters such as “onmouseover=“ and “print(md5(31337))” being observed. These are commonly observed attacks for SQL injection and/or cross site scripting being performed using Burp Suite. The performance of multiple actions in an accelerated manner with parameter contents that are generic in nature provided us with evidence that there was automated tools such as Burp Suite and potentially open source scripts leveraged to perform these malicious activities.||Medium||Medium||Dark Lab Assessment||Not Applicable||Inconsistent||Consistent|
|No evidence of lateral movement that is consistent with Cl0p’s MOVEit campaign||We have not observed from the generic attack path by Cl0p RaaS affiliates that there would be lateral movement in victims’ environments.||High||High||Primary||Consistent||Inconsistent||Inconsistent|
|No evidence of data exfiltration||We have not observed any data exfiltration based on our DFIR investigations and continued review of the Cl0p leak site.||High||High||Dark Lab Assessment||Inconsistent||Inconsistent||Consistent|
|Victim was listed on Cl0p’s leak site as of the time of investigation||Through our continuous monitoring of the Cl0p leak site, we observed that victims continue to be listed up to two (2) months after the original SQL Injection vulnerability (CVE-2023-34362) was disclosed. Given the lengthy time from exploitation to date, combined with the lack of data exfiltration during our investigation, we conclude that this behaviour is largely inconsistent with a Cl0p affiliate.||High||High||Secondary||Inconsistent||Not Applicable||Not Applicable|
Cl0p’s mass exploitation of the MOVEit zero-day represents the continuous evolution of the cyber threat landscape and the increasing sophistication of financially-motivated cybercriminals. Per our 2023 Forecast of the Cyber Threat Landscape blog post, cybercriminals are weaponising exploits at an increasingly fast rate and scale to bypass heightened controls. This is reflected in the sheer volume of zero-days exploited in 2023 thus far, with 54 zero-day vulnerabilities discovered between 1 January 2023 and 1 August 2023 alone, compared to 52 zero-days discovered during 2022. However, whilst exploits are happening faster – as predicted – and threat actors persist with single extortion attacks for speed, we observe through Cl0p’s campaign that they are largely relying on manpower to sift through troves of data at the time of writing, which may cause operational backlog. We posit that Cl0p will improve this aspect in future exploitation, possibly through data classification or generative artificial intelligence (AI).
Further, we posit that Cl0p will continue to target Internet-facing web applications with mass file transfer capabilities, following two widely-reported incidents regarding GoAnywhere MFT and MOVEit File Transfer systems.As a result, it is critical that organisations proactively identify their Internet-facing web applications with such features and apply the necessary hardening measures to limit the impact of potential incidents.
As organisations increasingly harden their security posture, malicious actors are ramping their speed of exploitation to capitalise on their momentary vulnerability susceptibility until a patch is deployed. This places increasing pressure on organisations to enforce stringent preventive and detective controls to provide a layered defense to counter exploitation attempts by malicious actors and minimise the threat of supply chain risks.
- Organisations should identify Internet-facing web applications with such features and perform the necessary hardening (e.g., MFA, privilege rights management, file encryption, remediation against findings from OWASP Top 10 testing) to limit the impact of potential incidents.
- Harden Internet-facing web applications with file transfer capabilities – including tightening access controls, file encryption, and remediations against findings from the OWASP Top 10 Web Application Security Risks.
- Enhance access controls to file transfer solutions such as MOVEit to restrict unauthorised users from obtaining access to critical information. This may include,
- Enabling multi-factor authentication (MFA) for file transfer solutions.
- Reducing the exposure of file transfer solutions (e.g. disable HTTP/S connections, or restricting access to only necessary endpoints).
- Reviewing and enhancing privileged access permissions to restrict and limit users accessing the systems (e.g. geofencing to restrict administrative access from only authorised geolocations).
- Tightening outbound traffic rules to restrict cross-country network traffic and unsolicited destinations, to further minimise the risk of unauthorised data exfiltration.
- Applying heightened access controls and segment critical infrastructure from the internal network.
- Ensure your patch management program includes procedures to escalate patching of critical vulnerabilities or appropriate temporary measures to mitigate your susceptibility to exploitation until the official patch can be applied.
- Regularly review perimeter network firewall rules and application controls to reduce service exposure to the Internet.
- Periodically perform simulation testing (e.g. red team or purple team exercise) to identify potential enhancement areas to further harden your organisation’s cybersecurity posture and reduce your attack surface exposure.
- Leverage an Endpoint Detection & Response (EDR) solution capable of detecting advanced techniques at a host-based status, as well as ingestion of other threat intelligence signatures.
- Ensure detection signatures for firewall and anti-virus solution(s) are maintained up-to-date, with ingestion of other threat intelligence signatures.
- Consider implementation of a File Integrity Monitoring (FIM) solution on backend servers (e.g. IIS) to monitor for anomalous file modification activity (e.g. file creation, modification, or deletion).
- Conduct a search of historical logs to detect for any potential presence in your network environment, ensuring that an alert system is established should any indicators be identified. If any indicators are discovered, it is advised that a digital forensic investigation is conducted to identify the potentially foregone impact, including the compromised information and systems, and apply the appropriate containment and remediation measures.
MITRE ATT&CK TTPs Leveraged
We include the observed MITRE ATT&CK tactics and techniques from the two incidents:
Case Study 1: Cl0p RaaS Affiliate
- T1595 – Active Scanning
- T1190 – Exploit Public-Facing Application
- T1136 – Create Account
- T1505.003 – Server Software Component: Web Shell
- T1069 – Exploitation for Privilege Escalation
- T1078 – Valid Accounts
- T1567 – Exfiltration Over Web Service
Case Study 2: Unsophisticated, Financially-Motivated Cybercriminal
- T1595 – Active Scanning
- T1190 – Exploit Public-Facing Application
- T1136 – Create Account
- T1565 – Data Manipulation
Indicators of Compromise (IoCs)
Case Study 1: Cl0p RaaS Affiliate
|220.127.116.11||Cl0p IP address used for exploitation files|
|18.104.22.168||Cl0p IP address used for exploitation files|
|22.214.171.124||Cl0p IP address used for exploitation files|
|126.96.36.199||Cl0p IP address used for exploitation files|
|188.8.131.52||Cl0p IP address used for exploitation files|
|184.108.40.206||Cl0p IP address used for exploitation files|
|220.127.116.11||Cl0p IP address used for exploitation files|
|18.104.22.168||Cl0p IP address used for exploitation files|
|22.214.171.124||Cl0p IP address used for exploitation files|
|126.96.36.199||Cl0p IP address used for exploitation files|
|188.8.131.52||Cl0p IP address used for exploitation files|
|184.108.40.206||Cl0p IP address used for exploitation files|
|220.127.116.11||Cl0p IP address used for exploitation files|
|18.104.22.168||Cl0p IP address used for exploitation files|
|22.214.171.124||IP address used for download files|
Case Study 2: Unsophisticated, Financially-Motivated Cybercriminal
|5.252.189[.]75||Cl0p IOC IP address|
|5.252.190[.]54||Cl0p IOC IP address|
|5.252.190[.]71||Cl0p IOC IP address|
|5.252.191[.]52||Cl0p IOC IP address|
|5.252.191[.]68||Cl0p IOC IP address|
|46.3.199[.]72||Threat actor IP address|
|wrbeirqx||Account created on MOVEit testing and production database|
|xfs.bxss.me||Account created on MOVEit testing database|
|print(md5(31337))||Command potentially indicating attempted SQL injections or cross site scripting using Burp Suite|
Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.