Mandiant Said TTPs of Threat Group Behind Exploiting MOVEit Appear Similar to FIN11
Adversaries are taking advantage of a recently patched vulnerability in Progress Software’s managed file transfer product to deploy web shells and steal data.
An unknown threat actor began exploiting the critical SQL injection vulnerability in MOVEit Transfer on May 27 and in some cases has taken data within minutes of deploying the web shells.
Security researchers at Mandiant attribute the activity to a newly created threat cluster with unknown motivations dubbed UNC4857 that has gone after organizations across a wide range of industries based in Canada, India and the United States (see: Hackers Exploit Progress MOVEit File Transfer Vulnerability).
“The seemingly opportunistic nature of this campaign and subsequent data theft activity is consistent with activity that we’ve seen from threat actors, which means victim organizations could potentially receive ransom emails in the coming days to weeks,” Mandiant researchers wrote in a blog post published Friday.
Progress Software disclosed the vulnerability Wednesday and told Information Security Media Group on Thursday that it had provided instructions for immediate mitigation and released a patch to all MOVEit Transfer clients within 48 hours of identifying the vulnerability. The app development and infrastructure software vendor didn’t immediately respond to an ISMG request for comment on the Mandiant findings.
How Does the Exploit Work?
Following exploitation of the vulnerability, Mandiant said threat actors deploy a newly discovered web shell with filenames that masquerade as a legitimate component of the MOVEit Transfer software. The web shell has been uploaded to public repositories in countries such as Italy, Pakistan and Germany, which Mandiant said indicates the threat actor is likely going after organizations in those nations.
The malicious web shell can generate commands that spell out files and folders, retrieve configuration information and create or delete a user with a hard-coded name. Initial analysis from Mandiant suggests that the web shell is being used to steal data previously uploaded by users of individual MOVEit Transfer systems.
Mandiant said it’s aware of multiple cases in which large volumes of files have been stolen from victims’ MOVEit transfer systems. In addition, it said the threat group might be stealing files from Azure in cases in which victims are storing appliance data in Azure Blob storage.
Many of the hosts used to support these exploits hosted remote desktop protocol services with certificates generated between May 19 and May 22. Mandiant said this is suggestive of when infrastructure used as part of the attack might have been staged.
Who’s Exploiting the MOVEit Vulnerability?
Mandiant has noticed broad similarities between the tactics, techniques and procedures used by the threat group exploiting MOVEit and FIN11, a Russian-based financially motivated hacking group known for deploying Clop ransomware and threatening to publish exfiltrated data if no payment is made. Both the MOVEit hackers and a FIN11 cluster have used zero-day vulnerabilities to target file transfer systems.
Mandiant also recently observed at least one actor associated with Clop seeking partners to work on SQL injections. Mandiant said the exploitation of MOVEit Transfer is reminiscent of prior mass exploitation events targeting file transfer software, which ultimately led to FIN-11 attributed data theft extortion via the Clop data leak site.
Several weeks after stealing the data, Mandiant said FIN11 sent emails demanding an extortion payment in return for not publishing the data. Mandiant suspects the delay in ransom demands from FIN11 could stem either from wanting to extend the amount of time the zero-day vulnerability remained undetected or a lack of capacity to negotiate simultaneously with a large number of victims.
In conjunction with the blog, Mandiant on Friday released a 31-page MOVEit containment and hardening guide that provides guidance on containment measures, application and infrastructure hunting and logging and hunting recommendations. Mandiant said the recommendations mitigate the risk of future exploitation of this vulnerability and keep affected servers isolated from the rest of the environment.
“While we don’t yet know the motivation of the threat actor behind the initial wave of intrusions, organizations should prepare for potential extortion, publication of the stolen data, and victim shaming,” Mandiant Consulting Chief Technology Officer Charles Carmakal wrote on LinkedIn on Friday.