As part of our ongoing efforts to support our clients, the Pondurance team hosts a webinar to keep clients current on the state of cybersecurity.
Over the past few months, the team discussed notable vulnerabilities and trends, provided a threat intelligence review, and explained some recent threat hunting tactics.
Threat Intelligence Review
The Senior Manager for the Security Operations Center, discussed a cybersecurity advisory from the Cybersecurity Infrastructure and Security Agency that warned about a recent vulnerability exploit by the CL0P ransomware gang, also known as TA505. TA505 exploited a previously unknown SQL injection vulnerability in MOVEit Transfer, Progress Software’s managed file transfer solution. TA505 infected MOVEit web applications with LemurLoot, a web shell written in C#, and then stole data from the MOVEit databases.
The Senior Manager provided background information on CL0P ransomware and TA505. TA505, known for frequently changing malware and driving global trends in criminal malware distribution, is considered one of the largest phishing and malspam distributors worldwide. The threat actor has compromised more than 3,000 U.S.-based organizations and 8,000 global organizations since 2019.
In addition, they detailed the malware tools that CL0P ransomware uses to collect information including Flawed Ammyy/FlawedGrace remote access trojan (RAT), SDBbot RAT, TruBot, Cobalt Strike, DEWMODE, and LemurLoot.
The Vulnerability Management Team Lead, reported that as many as 2,400 total vulnerabilities were disclosed in May, and 16 of them were deemed high risk. There were seven zero-day vulnerabilities in May. One of the seven was an attack on MOVEit, and two others were SQL injection vulnerabilities that allow unauthorized access to the MOVEit database.
On June 5, TA505 took responsibility for the zero-day vulnerability attack on MOVEit. TA505 threatened that victims must contact the group by June 14, presumably to obtain some financial transfer information, or else the threat actor will publish the victims’ names — and some names have indeed been published.
Patches are available for all three of the MOVEit-related vulnerabilities. The Team Lead reminded clients that more than one announcement and patch release for a vulnerability may be necessary because researchers sometimes discover new information about a vulnerability following the initial patch release.
“You have to keep on top of patching,” said the Vulnerability Management Team Lead. “You could patch the first one and then, lo and behold, a few weeks later, there’s an additional patch released that you’re going to have it go and apply.”
He also recommended three mitigation strategies to employ if you’re using MOVEit but are unable to immediately patch the product:
- Modify your firewall rules to deny 80 and 443 traffic to MOVEit
- Allow traffic to your MOVEit infrastructure only from known and approved IP addresses
- Enable multifactor authentication (MFA) on your MOVEit system to reduce the risk of compromise
Threat Hunting Tactics
The Security Operations Center Team Lead, continued the discussion of CL0P ransomware, SQL injection attacks, and MOVEit. In addition, he explained how to protect against search engine optimization (SEO) poisoning and business email compromise (BEC) exploits.
With so much recent malicious activity, he offered specific actions that organizations can take to defend against CL0P ransomware attacks including:
- Take an inventory of your assets and data. If you don’t know what your inventory looks like, it’s hard to determine what is potentially malicious inventory in your environment.
- Grant administrative privileges and access only when necessary. Make sure that your administrative privileges are restricted as much as possible.
- Monitor network ports, protocols, and services. Also activate general security configurations on network infrastructure devices.
- Regularly patch and update software and applications to their latest versions. Make sure hatches and cadences are kept up to date.
Next, the Security Operations Center Team Lead explained the seven steps of the cyber kill chain of an SQL injection sequence. To defend against these steps, he described how the Pondurance team builds out and hunts for specific logs, codes, post commands, accesses to and from web shells, and many other tactics, techniques, and procedures. If positive hits are found, the team communications the information to clients and performs further research. As always, the team must move quickly because threat actors will weaponize the vulnerabilities as fast as possible to get initial access.
“Threat actors are in the business just as much as everybody else is — although they’re the attacking side, and we’re the defending side — but ultimately, they do want to make money,” said the Team Lead. “So any way that they can forcibly extort money from someone, they’re going to figure out a way to do that to stay in business.”
He also discussed how the team recently defended a client against SEO poisoning. He explained how SEO poisoning creates another avenue for threat actors to get malicious infrastructure on an endpoint and discussed ways the team is protecting and preventing SEO poisoning including:
- Implementing typosquatting protection procedures using digital risk monitoring tools
- Using indicators of compromise lists that can provide information about suspicious website behavior and content, anomalous search engine rankings, phishing attempts, and unexpected changes in website traffic
- Upgrading security software and establishing rigorous web filtering procedures
- Providing user security training and awareness to reduce the chance that employees will fall prey to attacks
In addition, the Security Operations Team Lead addressed the rise in BEC exploits. With BEC, the threat actor gains access to an account and establishes persistence using new MFA devices, new inbox rules, and other means of obfuscation. To prevent BEC exploits, the team recommends deploying number matching MFA for all accounts, wherever possible, and providing ongoing internal training to educate users on the dangers of phishing.
Experiencing a breach? Contact Us
Emergency IR Hotline: 888.385.1720