SecurityScorecard Identifies Infrastructure Linked to Widespread MOVEit Vulnerability Exploitation

Executive Summary

• Following our initial efforts to identify detections and mitigations for the new vulnerability affecting the MOVEit file transfer service, SecurityScorecard has continued investigating the potential impacts of the exploit and identified a population of MOVEit servers that threat actors likely compromised.
  • Our continued investigation revealed the presence of the webshell involved in the exploitation at these servers, which is more likely than the use of an affected version of the product alone to indicate that a breach had occurred.
• SecurityScorecard’s network flow (NetFlow) and sensor data suggest that scanning activity started in early April.
• Target sectors include energy, healthcare, education, government, and retail.

Background

New disclosures regarding the widespread exploitation of CVE-2023-34362, a new vulnerability affecting the MOVEit file transfer software, and the Cl0p ransomware group’s claim of responsibility for its widespread exploitation and the resulting data theft, have continued in the weeks since the vulnerability’s original publication. Progress Software (the company that develops MOVEit) has disclosed two new vulnerabilities affecting MOVEit (CVE-2023-35036 and CVE-2023-35708) and prominent organizations in sectors including professional services, retail, communications, transportation, energy, and government (both federal and state) have confirmed that the campaign affected them.

Following our initial efforts to identify detections and mitigations for the new vulnerability affecting the MOVEit file transfer service, the SecurityScorecard Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team has continued investigating potential impacts of the exploit and further examined possibly affected IP addresses. The STRIKE Team leveraged the published indicators of compromise (IoCs) linked to the exploit, our exclusive network flow NetFlow) data, and SecurityScorecard’s in-house sensor network to identify additional infrastructure likely involved in attempts to target vulnerable servers.

Methodology

• Researchers used SecurityScorecard’s Attack Surface Intelligence data to identify possibly-affected IP addresses by searching for the MD5 hash tied to the affected version of MOVEit, 9DFFE2772E6553E2BB480DDE2FE0C4A6.
  • They then narrowed these results to IP addresses where they observed the webshell indicating potential compromise (/human2.aspx).
  • This resulted in a collection of 153 possible victim IP addresses.
• Researchers next collected traffic samples for the IP addresses where they observed evidence of the webshell and searched them for any appearances of IP addresses that had already appeared in the IoC collections published as part of other firms’ investigations into the exploit. Communication between known IoCs and a possible victim IP address could indicate a successful compromise.
• To identify patterns of behavior linked to the targeting of vulnerable MOVEit services, the STRIKE Team searched for the known IoC IP addresses in SecurityScorecard’s internal sensor data and collected additional traffic samples using them.
• Researchers finally extracted the IP addresses contained in the possible victims’ traffic samples and identified those IP addresses that communicated with multiple possible victims.
  • Traffic data indicating that the same IP address communicated with multiple possible victims’ IP addresses could indicate an attempt by a threat actor to target the same service.
  • To narrow these results further, the STRIKE Team searched for these overlapping IP addresses in our internal sensor data and identified those exhibiting the same behavior as the known IoCs.

Findings

Victimology

SecurityScorecard’s internal data appears to reflect the public reporting regarding affected organizations. Attack Surface Intelligence has detected the favicon hash at IP addresses attributed to state and federal government agencies in the U.S., regulatory agencies in the U.K. and Ireland, U.S. and European healthcare and health technology companies, global financial and professional services firms, and U.S. higher education systems. The STRIKE Team’s analysis of the available NetFlow data further indicated that many of the affected IP addresses also experienced suspicious traffic in the months leading up to the campaign’s discovery.

Distributed Scanning

The STRIKE Team observed scanning activity from 138.197.152[.]201, an IP address CISA identified as part of the CL0P campaign involving MOVEit. This activity started as early as April 13, 2023. On that date, 138.197.152[.]201 contacted an IP address belonging to a possible target organization in the retail sector. Although researchers detected the presence of the webshell at that possible target IP address as recently as June 7; the April 13 traffic could indicate that threat actors were scanning for vulnerable software versions well before that detection date. It also previously appeared in a traffic sample the STRIKE Team collected during an investigation against a city government claimed by the Royal ransomware group.

More recently, SecurityScorecard’s global sensor network has observed 138.197.152[.]201 scanning for human.aspx and human2.aspx (the MOVEit webshell indicators), presumably as part of an ongoing attempt to identify and exploit vulnerable servers. The STRIKE Team observed this host using the User Agent string Mozilla/5.0 zgrab/0.x, which could be part of the Go Application scanner included in the ZMAP network scanner project or simply forged to make it appear as a legitimate scanning tool. Searching our sensor data for other attempts to scan for human.aspx and human2.aspx and then searching for the IP addresses carrying out these scans in the available traffic samples revealed a network of at least 239 IP addresses involved in behavior identical to that observed from 138.197.152[.]201, indicating that they are involved in the same scanning activity as it.

Image 1: SecurityScorecard’s sensors revealed a unique global network of scanners targeting vulnerable MOVEit servers.

Three such scanners also appeared in possible victims’ traffic samples, likely reflecting a threat actor’s attempt to identify vulnerable targets. One scanner, 206.189.120[.]50, contacted a healthcare technology and services company’s IP address on June 4. This same IP address previously appeared in a traffic sample the STRIKE Team collected while investigating a recent disruption affecting a cold storage and logistics company, which strongly resembled a ransomware attack. Another, 167.99.13[.]19, communicated with a global human resources and staffing firm’s IP address on April 16. A third, 138.68.143[.]68, communicated with a U.S. higher education organization on April 3 and June 3, and appeared earlier in the same city government’s traffic sample as the IoC discussed above.

Researchers additionally observed two IP addresses named as IoCs related to exploitation of the new MOVEit vulnerability named in public research, 139.59.37[.]187 and 165.227.147[.]215, communicating with MOVEit servers belonging to victims in the government and higher education sectors. 139.59.37[.]187 communicated with a state government-attributed IP address on May 5 and a higher education-attributed IP address on May 17. 165.227.147[.]215 communicated with an IP address attributed to a different state government on June 7 and previously appeared in a traffic sample collected from a ransomware attack against a community college. The recency of the latter communication may suggest that threat actors are scanning for servers that have remained unpatched after the initial disclosure.

Further Exploitation & Data Exfiltration

A review of the traffic samples for the known IoC IP addresses revealed that two,  209.222.103[.]170 and 198.27.75[.]110, established lengthy connections with two victims’ MOVEit servers in the government and healthcare sectors on May 28th and 29th. The length of these periods of communication indicates extended interaction with the victims’ networks. More in-depth interaction with a victim network would likely involve attempts at data theft or lateral movement than mere scanning. This would, moreover, appear to be in keeping with these IP addresses’ observed behavior more generally, as none of the available NetFlow data indicates that they were involved in any scanning.

In addition to scanners, the STRIKE Team identified previously unreported infrastructure involved in other campaign stages. Researchers observed 202.70.133[.]147, an Indonesian IP address, connecting to a state government IP address where MOVEit has been in use for over five days. This behavior we observed appeared to be intended to extract or enumerate the SQL database (one of the end-results of the exploit) for the MOVEit server for this state government IP address.

The STRIKE Team also identified additional IP addresses that appear to be exfiltration destinations and did previously not appear in published IoC lists. 172.99.67[.]55 engaged in extended communication with two vulnerable MOVEit servers, one used by a pharmaceutical research and development company and the other by a large oil and gas firm. The oil and gas company and 172.99.67[.]55 communicated 180 times between April 11 and June 15 and 172.99.67[.]55 received two especially large data transfers, 2.48 and 1.57 GB, respectively, from this company MOVEit server on May 1 and May 3.

These transfers may be particularly likely to reflect exfiltration; they are considerably larger than the other transfers observed in this victim’s traffic sample. Large transfers are more likely to reflect exfiltration than others. 172.99.67[.]55’s communications with the pharmaceutical firm are both smaller and less frequent. That organization’s IP address transferred 12.98 MB to 172.99.67[.]55 over twelve flows between May 17 and June 6. This same IP address also appeared in traffic samples collected in investigations into ransomware attacks claimed by the Daixin and VSOP groups and the DDoS attacks claimed by KillNet, the pro-Russian hacktivist group.

While investigating it further, researchers determined that 172.99.67[.]55 likely serves as a proxy for traffic from various locations. SecurityScorecard’s Attack Surface Intelligence data indicates that the Squid HTTP proxy service is in use at port 3129 of 172.99.67[.]55, a domain indicating the use of a VPN has resolved to it in the past. A traffic sample focused on it revealed it to experience a large amount of traffic from various apparently unrelated sources, which could correspond to a VPN’s many different users. Among the IP addresses connecting to it, researchers observed thirty-six Russian IP addresses that communicated with it for extended periods, and seventeen were involved in transfers of 100 MB or more. Given the presumed Russian origins of Cl0p’s operators and associates, these IP addresses could be especially likely to reflect criminal activity associated with the campaign targeting MOVEit servers.

An IP address identified as a TOR exit node, 195.176.3[.]23, contacted a state Department of Revenue’s MOVEit server on June 7. Threat actors often use TOR to conceal the origins of malicious traffic, so this activity may reflect a threat actor’s attempt to access the vulnerable server. On June 14, that same vulnerable state government server made a series of file transfers to 204.251.175[.]199 ranging from 1.37 to 328.5 MB in size. This same possible exfiltration destination (204.251.175[.]199) previously appeared in traffic samples collected in investigations into the same city government ransomware attack mentioned above, an attack against an electronic health records vendor claimed by the BlackCat ransomware group, and other DDoS attacks KillNet has claimed.

These overlaps with earlier and more varied activity may suggest that these IP addresses serve as proxies through which multiple different threat actor groups have routed traffic over the course of different operations.

It further bears noting that many of these IP addresses have also appeared in traffic samples of previous victims of ransomware groups other than Cl0p, the ransomware group claiming responsibility for the exploit and resulting breaches, prior to the disclosure of the MOVEit exploit. These overlaps could reflect different cybercriminal groups’ use of the same infrastructure, as the pool of resources available for similarly malicious activity is ultimately finite, or they could reflect the same actor’s use of the same infrastructure to different ends in different incidents. As CISA has noted, Cl0p’s operators have shown themselves capable of playing a variety of different roles: they have operated a large, longstanding botnet (which may suggest that scanning infrastructure is easily accessible to them), have conducted their own ransomware-as-a-service (RaaS) operation for other affiliates and been affiliates of other RaaS operations, and have served as an initial access broker for other groups and been customers of other initial access brokers.

Conclusion

The available data may speak to broader patterns of behavior by the Cl0p ransomware group. Most broadly, it has previously exploited similar vulnerabilities in other products. In 2022-1, Cl0p claimed responsibility for a series of breaches stemming from the exploitation of a longstanding vulnerability in Accellion’s file transfer application. Earlier this year, the group leveraged a vulnerability in the GoAnywhere MFT file transfer service to steal data from an estimated 130 victim organizations. Our NetFlow data suggests that threat actors may have been scanning for vulnerable MOVEit servers as early as April 3, which may begin to hint at the extensive preparations that Cl0p underwent, to which estimates that the group had been developing the exploit since 2021 also speak. Meanwhile, the overlapping IP addresses observed in possible MOVEit victims’ traffic samples and those of victims of other ransomware groups could reflect the threat actors’ willingness to play different roles in different incidents.