Detecting Suspicious Activity within the MOVEit Environment and General Responses to Data Exfiltration

In light of the recent vulnerabilities (CVE-2023-34362) and (CVE-2023-35036) affecting our MOVEit Transfer and MOVEit Cloud products, we want to help provide our customers with information to help them react quickly to potential risks to the MOVEit Transfer and MOVEIt Cloud vulnerabilities. To better equip those that may have been impacted, directly or indirectly, we have also included general recommendations from leading industry experts and our partners in the security and threat intelligence communities that will help you better detect and respond to any potential data exfiltration. Note that we provide this blog post for informational purposes only. This should not be considered legal advice and Progress encourages you to consult with your own legal counsel.

It is incredibly important that our MOVEit Transfer and MOVEit Cloud customers read and follow the recommended guidance available on our Security Center, if they have not done so already. Furthermore, for customers leveraging Microsoft Defender for Endpoint and/or Rapid7’s Velociraptor open-source endpoint monitoring and forensics platform, you can find hunting queries below to detect associated activity with this exploit.

As additional information from the security community is shared, we will continue providing updates.

Detecting for Activity

For our MOVEit Transfer customers, we strongly suggest working alongside your security vendors to help detect the identified Indicators of Compromise (IoCs) listed in the MOVEit Transfer Knowledge Base article. You may also refer to Mandiant’s MOVEit Containment and Hardening Guide.

To help organizations detect the precursors of a typical data exfiltration attack, there are varying indicators your security and/or IT teams should monitor for, including: searching your DNS logs, searching endpoints for installed software and process telemetry, threat intelligence for malicious IP addresses, amongst others. You may refer to the InfoSec Institute's Network Analysis for Data Exfiltration article.

Advanced Hunting for Microsoft Defender and Velociraptor Customers

• For Velociraptor Consumers: Please see Velociraptor MOVEit CVE-2023-34362 Detection.
• For Microsoft Defender for Endpoint Customers: The following sample query lets you search for a week's worth of events. To explore up to 30 days' worth of raw data to inspect events in your network and locate potential PhantomShell-related indicators (Microsoft termed name for the MOVEit Transfer exploitation associated activities) for more than a week, go to the Advanced Hunting page > Query tab and select the calendar dropdown menu to update your query to hunt for the Last 30 days. 

To locate possible exploitation activity, run the following queries in your Microsoft 365 security center. 

• Check for MOVEit Transfer Installations: Determine whether MOVEit Transfer is installed or not. Run query
• Find Lace Tempest activity: Search for the malicious web shell specific to the Lace Tempest activity running under the w3wp.exe process. Run query 
• Find generic web shell creation: Search for generic web shell creation after the release of the exploit. Run query 
• Find network connections: Search for the network indicators of compromise (as listed in the MOVEit Transfer Knowledge Base Documentation) Run query 

General Response to Data Exfiltration

If you believe that you have been the victim of a cybercrime, please consider the actions set forth below. We also recommend that you check your spam filters for any inbound messages from the potential "threat actors" to avoid missing any important communications. Please note that this is not intended as legal or regulatory advice and is not an exhaustive list or playbook. Rather, it includes suggestions based upon advice from trusted cybersecurity experts. Any suggestions listed are subject to further advice from your legal counsel and/or other third-party advisors:

• Engage with experts. The experience of seasoned cybersecurity vendors and legal counsel can be critical, and this article is not intended to offer any legal or regulatory advice.
• Follow notification requirements, as may be outlined in your cyber incident response, business continuity (BC), disaster recovery (DR) and communications plan, etc. to engage internal and external teams and stakeholders with an understanding of what steps can be taken in order help you mitigate, respond to and recover from an incident. Ensure all stakeholders are clear on the steps outlined, and where to access copies if needed. If your organization does not have a crisis plan prepared, there are a plethora of available free resources such as the National Cybersecurity Alliance’s Responding to Cyber Incidents.
• Engage with third-party incident response and forensics firms to share any concern over potential data exfiltration. It is best practice to have a relationship and contract retainer in place with these types of firms before you have an urgent need for them.
• Define if and how your local cybercrime law enforcement field office should be updated, if you believe you have been a victim of an online crime and as advised by your legal counsel.
• For U.S. private sector and other non-federal owners and operators of critical infrastructure, FBI, CISA or other similar organizations may be able to assist and offer their incident response services; learn more here.
• For EU related concerns, you may report cybercrime online through Europol as advised by your legal counsel.

Additional Security Measures

To better prepare your organization for potential data extortion against you or your customers, we encourage you to review the below guidance that we have received from trusted third-party service providers and implement certain measures as best suited for your specific organizational needs. Please note, these are not considered mitigation or prevention steps to the above-mentioned vulnerability, but rather cautionary steps aimed at helping you reduce risk and enable a quicker recovery. Again, this is not intended legal or regulatory advice and is not intended to be an exhaustive list, but instead are suggestions based upon advice that Progress has received from trusted cybersecurity firms. Any suggestions listed are subject to further advice from your legal counsel and other third-party advisors.

• Review your cyber insurance policy with your respective legal and finance teams, to evaluate whether it includes coverage for exfiltrated data and extortion. Consider adding it to your policy if it aligns with your organizational objectives and priorities.
• Educate your workforce on how to detect phishing emails. It is important that all your employees know where to report their security concerns, and how to submit suspected phishing emails to their security and/or IT teams. For security awareness resources to share with your workforce, visit SANS.org Free Resources and StaySafeOnline.org Resources and Guides.

To keep abreast with updates regarding this situation, we encourage subscribing to our blog.

References and Additional Resources

• Microsoft-365-Defender-Hunting-Queries
• CISA’s List of Free Cybersecurity Services & Tools
• CISA Cybersecurity Advisory: #CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability