Exploits & Vulnerabilities
MOVEit Vulnerability Breaches Targeted Fed Agencies
Jon Clay and Ed Cabrera talk about the MOVEit breaches and more in the video series #TrendTalksBizSec
Transcript
Jon Clay: Welcome everyone. My name is Jon Clay, VP of Threat Intelligence at Trend Micro and welcome to episode 21 of our Trend Talks BizSec. Joining me today again is Ed Cabrera, Chief Cybersecurity Officer at Trend Micro. Ed, how are you doing today?
Ed Cabrera: It's a busy evening and day for us, right? So, uh, let's, let's get to it.
Jon Clay: Yeah, we're going to talk about the MOVEit breaches that have been in the news lately. Um, there's a couple of things that have occurred here. Uh, what's interesting is we have actually seen a number of zero days being disclosed, uh, in this. So, in, on May 31st, uh, they disclosed that CVE 2023 34362 was being utilized in some attacks.
Then on June 9th, they published that CVE 2023 35036 was being, um, exploited. And then just yesterday we heard that on June 15th that CVE 2023 35708 was another vulnerability that was being exploited. And so Ed and I are going to talk a little bit about this, but the good news is these are all patched, so if you are a MOVEit customer, You should be going to them and getting those patches done.
I think one of them there might be only in their cloud product and not their on prem yet, but that's something we can discuss as well. But Ed, let's talk a little bit about this attack and what we know. Obviously, there's still a lot of information out there that is unknown about it, but supposedly the Clop Ransomware group has, um, Said that they are responsible for these.
What are your thoughts around this?
Ed Cabrera: Yeah, I mean, well, one not surprising. And so they've been one of and we've been writing on this even back to 2021 that they're one of the most prolific ransomware crews out there, uh, Russian speaking ransomware crews. So not surprising. Uh, that it is is coming.
Obviously, three zero days is an interesting wrinkle. We'll get to that here in a minute. But I think it's one of these things that you could see how quickly these things can escalate, especially when you're talking about supply third party supply chain when it comes to software and, you know, the vendors that you utilize.
And so I think one of these things that we really need to look at across all of this is, you know, how can we. Really be better at, um, you know, the identification. How would our meantime to detect our meantime to respond? I mean, we just need to be more resilient.
Jon Clay: Yeah, and I think, you know, you said the thing that was interesting is the Clop ransomware.
There are ransomware gang ad, but yet there's no evidence that they actually are using ransomware. It sounds like this is a data exploit, or I mean, a data kind of exfiltration extortion attack.
Ed Cabrera: That's right. Usually we're seeing this as a sort of, um, the second or part of a traditional ransomware attack where, you know, they drop the ransomware.
But as the double extortion goes, then they actually exfiltrate that data to then further the impact if they don't, you know, to pressure victims to pay. So it seems like they went straight to this data disclosure, digital extortion piece, which You know, it's, you know, in the community, it's really not seen as possibly the most successful approach because some companies have already, you know, said, okay, we're going to disclose, so we're not going to pay.
Um, obviously that all depends on the critical, the criticality of the, of the data that's actually been, you know, exfiltrated. So, uh, each company has to do their analysis and I'm sure they're doing their due diligence right now.
Jon Clay: Yeah, I mean, by zero daying a data transfer application, obviously, the main thing that this application does is utilize is managed data.
So it makes sense that the motive was to exfiltrate data here because of the in what they were doing here. The zero day aspect is interesting, Ed, because we, we don't really see zero days used very often. And one of the things that I, I was thinking about earlier, um, how they got this zero day, these zero day exploits or how they developed them.
So the question is, is Did they develop them in house? So maybe they're, you know, this is a business for them. Maybe they have somebody internally that does, uh, you know, reverse engineering and maybe tries to find and create exploits of vulnerabilities found. Or they could have gone to the market. We know there's a marketplace out there in the underground market for exploits of vulnerabilities, so they could have bought that.
Uh, or somebody gate came to them and sold it to them. And one other aspect that is interesting is, uh, one of my colleagues mentioned that maybe a government supplied them with this because we certainly know that there are governments out there that are looking to destabilize things in the world.
So that's another option. I sort of lean towards the first two, obviously. Um. Uh, in in this case, but but again, you know, last year, Google Project Zero published. There was only around 30 or 40, uh, zero days used in attack. So this is a little unprecedented, especially when you see three used in a single attack.
Ed Cabrera: Yeah, no, I think this is really and I agree with you. You know, when we look at. You know, how these exploits are created, depending on the sophistication, you know, and the capability to your point, there's many different avenues. I mean, you can have, so to speak, your own exploit writers on staff, or you can go to the marketplace.
Chances are, maybe more of the marketplace, right? I mean, you're looking from a business point of view, Perspective, um, you know, unless you're really lucky and you get some kind of exploit writer and you're leveraging that exploit writer in your attacks, chances are they're going to the marketplace and the cyber criminal on the grounds have really been, uh, doing this for quite some time and selling access, selling exploits.
So that wouldn't be surprised into your point. Even if you look at the victimology, they did this sort of spray and pray. It's a global impact. Don't get me wrong. And they're impacting obviously the federal government, which we'll get to in a minute, but also they're impacting, you know, airlines, uh, municipalities, universities.
Yeah, absolutely. So it is sort of on one hand, spray and pray, which wouldn't sound like they're utilizing this it. in a targeted manner like what you would find from a state sponsored group. So I, I agree with you. Maybe that's where they either came across this on their own and, or they went to the marketplace for it.
Jon Clay: Yeah. I, the one thing I do lean towards them having it in house ed is that if it was in the marketplace, other groups would probably be using it and we haven't. seen any evidence of more groups using these exploits themselves. Now there's POC, I believe, that got created by a research firm out there. So that, that obviously is going to cause some challenges, but, um, but yeah, this is a, it's an interesting one to utilize.
And, and, you know, again, I think. The three are very similar. So once you find one, you probably look for similar type of, uh, vulnerability and you're probably finding them pretty quickly in that case. So, um, but the good news is move. It did move quick. Um, they were able to identify the bug and. And put patches in place pretty quickly.
So that's that's good news. But zero days are very difficult to defend. Now you mentioned U. S. Government. Uh, there was yesterday and this is kind of why we we started wanted to bring this to you that there was some, um, public information sent out by the U. S. Government that some agencies got tagged. You want to give the audience a little bit of information about that?
Ed Cabrera: Yeah, it seems like it's a small group. Um, the DHS, uh, has come out and said that it is a group that they're managing and working with. Um, however, you never know as these things really start to unfold and unpacked. Um, but Department of Energy being the, the, the biggest, uh, um, sort of department, um, that was named.
So I think it's one of these wait and see as the, you know, additional. Yeah. Federal, um, agencies and or departments, you know, um, either they them come forward themselves and or they get outed that, but there's a unique thing here, which we don't see, but we, well, we have seen in the past. However, um, it is this notion of they have some principles of if you would think from a cyber criminal group, they actually made note that they move.
I don't have any children's hospitals, any government agencies, any law enforcement agencies that were impacted by this spray and prayer approach. They said that they deleted them. Like so, uh, maybe they're not as bad.
Jon Clay: I don't know. Well, I think, you know, I think they, they looked at the past history of us government putting bounties on some of these ransomware groups, uh, actors.
And sanctions on government. So there's certainly precedent that they didn't want that target on their back. So maybe they will, um, maybe it won't happen now, but you know, this brings up something that's interesting, you know, just this year, we came, the U S government came out with. The cybersecurity strategy, right?
And is this kind of a first run on what we are seeing being built around this U. S. government? Obviously, it's a fail because these. These agencies got hit, but maybe they haven't had time to implement some of these. But let's look at some of these, Ed, and maybe break down a little bit about some of the things, their challenges, or some areas that they could actually improve their security posture in these areas as well.
Ed Cabrera: Yeah. Uh, five pillars towards, you know, within the National Cybersecurity Strategy, and I, and I would say yes, this is that first test, right, of this national Cybersecurity strategy. One would argue it's a little early, you just released the strategy. How effective can you bend to roll out some goals and objectives to meet that, that strategy.
However, you know, um, the federal government has, um, Has been incrementally getting better, right? You know, not all agencies and departments are the same. And really, um, the really focus here, when you look at the strategy perspective, one is a pillar two, for example, pillar two is a disrupt and dismantle threat actors, you mentioned it earlier, this.
Sort of mitigating their own risk, possibly deleting government data to prevent, you know, additional focus from say, cyber command hunt forward teams that are being leveraged in, you know, uh, to support.
Jon Clay: Offensive measure against CLOP right now might not be in their best interest to the CLOP group. So hence why they may be put in that that disclaimer that they deleted that information because we know Cyber Command has some very good, uh, offensive capabilities.
Ed Cabrera: No, yeah, I mean, I think the focus on the National Cyber Security Strategy is for critical infrastructure. There's 16 sectors, right? So just about everything might be considered critical infrastructure.
However, I think when you looked at it, and they didn't really specifically go into it too much on the National Cyber Security Strategy, but this whole idea of continuous, you know, assessment of risk, I mean, this is something that we all have to, so they might not be connected to the National Cyber Security Strategy per se directly, but You know, CISA just released for federal agencies, the binding directive around essentially improving their task surface risk management, requiring them to report, you know, uh, within 14 days.
And so these are the things that, yes, you see this incremental approach of actually helping agencies become much more resilient because in the end, no strategy is going to be that silver bullet to. Protect agencies. It's going to need to be very focused on resilience, right? It's speeding. It's the meantime to detect, as I mentioned, meantime to respond and meantime to remediate.
Jon Clay: So, yeah, what are some of the other pillars that in this cyber security strategy that we could maybe improve areas prove on? Well, I mean, you look at?
Ed Cabrera: One thing here is very focused is, um, actually international leadership and you make you wonder, well, what does that mean? Well, it's very high level, but capacity building internationally is very important, right?
Especially when we're talking international groups. Now, Klopp is, um, you know, it's attributed to being a Russian speaking, um, ransomware crew. So you can see that anything and we've worked with, I say, we, the federal government and the FBI, um, Um, previously worked with identifying a couple Ukrainians that were connected to CLOP, right?
So regardless of their nationality, you know, having a better international capacity building stance in international cooperation. So, you know, um, we like to do our part for sharing micro with threat intelligence information sharing across the board.
Nationally and internationally with, with departments and agencies.
And so I think that strategy there, albeit is sort of a delayed gratification piece, but I think that's the only way forward to really get to the resilient piece.
Jon Clay: Well, and I think that ties back into two, uh, principle two, where if these governments can come together, we can disrupt their infrastructure.
Through collaboration, but we can also look at law enforcement arresting these criminals with support as well across the, uh, the, the world. So, uh, certainly that can be an effective means if we can get to that point.
Ed Cabrera: Absolutely. Absolutely. So extending the. So long arm and reach of law enforcement to be able to disrupt these groups is one of the things near dear to my heart.
But I mean, it takes time. Those things do take time. So what can we do? Sooner from a public private partnership, you know, how can we share threat intelligence, you know, as soon as possible around, um, these campaigns so, you know.
Jon Clay: I noticed the nice thing about our industry at is, is we're already seeing a lot of information being shared about this actual breach and about the vulnerabilities that are associated with it, the IOCs, IOAs are starting to trickle out across the community. So, so that's a great thing. But, you know, you talk about resiliency, you talk about, I know, how can we improve? So a couple of things, obviously, zero days are difficult, but there are things that we can look at.
You know, just this week, we announced our new Vision One platform, which goes into attack surface risk management. So that's all about Discovery assessment and mitigation. So if I can discover we actually published a few things in our vision one console where a customer can actually discover MOVEit, um, uh, applications being run on devices out there.
So you can actually see what devices do I have in my organization that are using MOVEit. But then you can assess. Does it have a patch associated with it? Um, is there a virtual patch that is available? We actually have published some virtual patches. We even have some generic patches for sequel injection that supposedly this is part, uh, the type of, of, uh, v exploit that is being, um, vulnerability that's being exploited.
So maybe a generic. Type of virtual patch could help an organization identify a new exploit that comes out using that technique or that tactic. So, um, but again, it's about that continuous monitoring, continuous visibility into your attack surface, and then, you know. Discovering it, then assessing it, and then mitigating it through a number of different security controls.
Ed Cabrera: No, absolutely. And, you know, you can't, you know, even with our new release, I think the most important thing is, right, leveraging AI and, you know, and companion to be able to do that, right? So the power of AI, well, and machine learning have been around and we've been leveraging it for years. But the idea is, you know, you're doing it to help.
Augment the capabilities of your teams, right? I mean, be able to speed up processes, right? We've talked about people process technology, technology ad nauseum, but the, the, everything that, that connective tissue between all three is obviously, can you automate, can you be able to be able to respond much quicker and faster to these types of threats and campaigns?
Jon Clay: Yeah, so we're about up on time, Ed, but just basically to review for our audience here, uh, MOVEit transfer is an application that got exploited over the last several weeks. They've got three. Vulnerabilities that they have patches for recommendation, obviously, is if you are a MOVEit customer, you obtain those patches and and apply them as quickly as possible.
If they don't have a patch for you, they do have some mitigating controls and recommendations that you can do. You could also turn them off, which the application off if you need to in the worst case scenario, but definitely this. These aren't going to stop, right?
Ed Cabrera: Yeah. No, no, I mean, I think, you know, these are here to stay.
It's a fact of life. We have vulnerable, uh, um, applications that we use and operating systems we do on a daily basis. And then you extend that, uh, sort of risk and exposure when you're using third party software and applications. I mean, so zero days are a fact of life. The thing is, is be able to have that people process technology in place to continually assess your attack surface risk management and apply the controls like you said, it.
To mitigate, you know, the risk and then also remediate if you're unfortunate and be able to, you know, and the victim.
Jon Clay: Yeah, well, hopefully this gave you some good information. Everybody you can go to our trend micro dot com website. Our blog. We actually have a blog out on this and we have a. Uh, ransomware spotlight that we spotlight the CLOP, uh, ransomware group.
So we give you all the information about their TTPs, uh, and what they're doing. Uh, as well as if you were a trend customer, we have a customer, uh, support knowledge based article that gives you information on how you can. Uh, protect your your organization utilizing our solution. So with that, Ed, thanks very much.
Episode 21 is a wrap. We will be back soon to do Episode 22. But if anything new comes up, we may we may add on to this and in a follow up session. So everybody, thanks for joining us today and we'll talk soon. Ed, take care.