Learn how Adlumin’s Threat Research Team is dissecting emerging threats and providing invaluable insights that empower organizations to proactively defend against ever-evolving cyberattacks.

Navigating the MOVEit Vulnerability: How to Protect Your Organization

MOVEit or lose it: The vulnerability has been taking the industry by storm over the last few weeks. The vulnerability was found in the software, MOVEit Transfer and MOVEit Cloud. The tool is used to securely transfer files and encrypt data as it travels from one organization to another. The exploitation of this flaw could lead to escalated privileges and potential unauthorized access to the environment and then to servers and networks.

The flaw was first made public on June 2, but according to Microsoft, it was first observed on May 27, 2023. A second vulnerability was disclosed on June 15 and patched on June 16. The newest victims include several large financial institutions, educational institutions, SkillSoft and Norton LifeLock.

The Threat Actor Behind the Attacks

According to Microsoft, Lace Tempest is the cyber gang behind the exploitation of MOVEit software. The group is known for its use of Cl0p ransomware malware to attack banking, retail, education, transportation, manufacturing, engineering, automotive, energy, aerospace, telecommunications, professional and legal services, and other sectors.

The Cl0p ransomware gang has claimed responsibility for discovery and use of the associated vulnerabilities in zero-day exploit attacks against hundreds of companies using the publicly facing vulnerable MOVEit software and claims to have begun their operations May 27th, days before the first vulnerability was reported to NIST. 

Adlumin’s Threat Research finds this a rare example but increasingly common example of a severe zero-day vulnerability first being discovered and used by Ransomware-as-a-Service gangs along with gangs increasing migration to data extortion or double extortion as a tactic.

Below are the affected software versions:

  • MOVEit Transfer 2023.0.0 (15.0) 
  • MOVEit Transfer 2022.1.x (14.1) 
  • MOVEit Transfer 2022.0.x (14.0) 
  • MOVEit Transfer 2021.1.x (13.1) 
  • MOVEit Transfer 2021.0.x (13.0) 
  • MOVEit Transfer 2020.1.x (12.1) 
  • MOVEit Transfer 2020.0.x (12.0) or older. 
  • MOVEit Cloud

Block MOVEit through Patching

Progress Software has released patches for the three identified vulnerabilities so far, including for a vulnerability where exploitation has not yet been observed:

  • CVE-2023-35708 
  • CVE-2023-35036 
  • CVE-2023-34362

If you are using any of the above versions, Adlumin recommends that you patch immediately.

How to Protect Your IT Environment

Adlumin’s Threat Research team has looked for indicators of compromise across our customer data. One strong indicator is the existence of the file “human2.aspx” in the folder C:\MOVEitTransfer\wwwroot.

Below are the known IOCs to lookout for:

Web Shell

  • LEMURLOOT Web Shell

*We received these IOCs from a third-party source.

The Adlumin Approach

Adlumin has hunted for the indicators of compromise that have been reported publicly so far across all of our customers’ environments. We have also developed additional detections to monitor follow-on activity by the threat actor. Adlumin’s Threat Research Team will continue to monitor the threat, including the Cl0ps darknet leak site, and will notify customers accordingly.  

Protecting Microsoft Office 365 from Cyberattacks

By: Mark Sangster, VP, Chief of Strategy, and Will Ledesma, Director of Managed Detection and Response

Cloud adoption is universal, as is the move to SaaS applications like Microsoft Office 365 (O365). Cloud architecture simplifies management while increasing business access and collaboration. Yet, the open and available nature of tools like O365 expands your threat profile. Cybercriminals are adept at exploiting these systems, often called Living Off The Land (LOTL). Adopting services like O365 only reinforces the notion that the threat landscape is an ever-moving sea of dunes that provide cover for criminals to move undetected and easily infiltrate your business.

As you migrate to Office 365 (amongst other SaaS applications) and increase user access, does it come at a cost? Are you losing security protection? This post discusses the move to Office 365, the risks, and ways to secure your SaaS applications from cyber threats.

Office 365 Overview

In the following blog, when Office 365 is mentioned, we are referring to the collection of Microsoft web applications and cloud-based services¹. It includes Outlook, OneDrive, Microsoft Teams, and Microsoft Office (Excel, Word, and PowerPoint). These services further integrate with Microsoft Exchange Server, SharePoint, and others. Authentication is driven via Hybrid Azure configurations or full Azure Active Directory Server integration. Adlumin’s platform ingests the various logs produced by these applications, servers, and authentication services.

Real Threats in the O365 Trenches

Today’s IT (Information Technology) open and accessible infrastructure means companies cannot turn a blind eye to threats lurking in plain sight. Cybercriminal groups such as Gootloader actively seek and exploit Office 365 vulnerabilities.

Like other SaaS applications, Office 365 contains mission-critical, often confidential, and damaging information if exposed through unauthorized channels. Proprietary intellectual property, business plans, customer contracts, and financial data are stored and shared through Office 365. Cybercriminals are attracted to any source of critical assets, and the open nature of Office 365 creates double jeopardy in terms of cyber threats.

Add to that the complexity of any expansive ecosystem of services and applications, and it is no wonder the Office 365 family has a plethora of known vulnerabilities² that exploit services, including remote code execution, spoofing, bypassing controls, and information exposure.

Threat actors will look to identify any way into a system. Many use password spray techniques, while others attempt phishing tactics. Regardless of the vector, every attack angle must be observed.

Many of these exploits are easy for criminals to deploy. For example, Microsoft modified Azure authentication protocols to prevent unauthorized parties from intercepting or spoofing authentication requests, harvesting credentials and then passing these credentials to the Azure servers to complete the user’s login request³.

Office 365 Login

Convincing phishing emails that launched customer-branded log-in portals left the user unaware of the fraudulent nature of the act. And the successful sign-on offers no signs of suspicious or at least unexpected behavior.

Most organizations rely on Single Sign-On (SSO) servers to authenticate users. At the same time, they have been deployed for their simplicity and ease of use, and adversaries tailgate on these advantages to gain initial access to organizations.

Let’s dive into a real-world example that Adlumin’s Managed Detection and Response (MDR) team discovered. The Adlumin platform alerted on suspicious activity in the form of impossible travel, which is the notion that a user cannot log in from two geographical locations in a period in which they could not physically traverse. The adversary leveraged an older vulnerability against Oauth 2.0 that exploits cloud Azure authentication server misconfiguration. The threat actor was able to take ownership of the targeted account but was rapidly stopped by Adlumin.

Adlumin’s investment in machine learning algorithms solves the conundrum of analyzing the enormous volume of logs generated by O365 services and serves in this class of exploit. False positives are eliminated, and vetted alerts and events are presented to MDR analysts for complete analysis and containment.

Take the previous example of impossible travel authentication. A user cannot log in from New York and London at the same hour, but Microsoft load balancing might send an authentication request from a New York user to a server in London, given current Internet traffic. On the surface, the concurrent login looks suspicious, but it is not. Additional contextual information allows one to confirm the event and determine if it is malicious.

In this case, User and Entity Behavior Analytics (UEBA) solve this dilemma. UEBA baselines normal user and device activity and flags anomalies. Where does the user normally log in from? What are the normal behaviors of the user? What machine do they typically use? Adlumin UEBA paired with our MDR analysis provides a Zero Trust approach to identify the outliers, investigate, and contain them. It is about identifying threats before they turn into business-disruptive incidents.

With Microsoft SSO, attackers have a single portal to a world of applications: OneDrive, SharePoint, emails, confidential information, etc. Access to these systems additionally provides a vector for distributing malicious binaries like ransomware to other users and systems.

Alert and Response Example:

Adlumin’s MDR team has several containment actions. In this case, the analyst disabled the user account and implemented a firewall IP block via Adlumin’s SOAR (Security Orchestration, Automation, and Response) to provide machine-to-machine invoked protection actions.

The Alert

Alert in details showcasing the impossible actions:

A machine learning algorithm detected Office 365 activity originating from an anomalous

The Adversary’s Actions

The first move:

Once the adversary gains access, they set up a forwarding rule against an admin account.

Suspicious inbox forwarding rule\

The second move:

The adversary then looks for and collects an expense report.

collects an expense report

The third move:

In this case, the client had disabled automatic blocks against suspicious activity, including the compromised account, remote access, and source IP blocking. In response, Adlumin’s MDR team takes containment actions:

Security Orchestration Automation and Response (SOAR)

IP blocks were also implemented via SOAR:

IP blocks were also implemented via SOAR

At this point, the initial attack is contained. Adlumin’s MDR team continued to monitor for further intrusions against the customer.

Take Aways

Today’s risk equation includes sophisticated threat actors, growing accountability and compliance requirements, and the protection of emerging technology. Office 365 is not new, but attacks against SaaS applications will continue to grow. The pandemic shifted much of the global workforce to a remote model.

Distributed (cloud) storage, remote access, and expanding user privileges have created new challenges for system administrators. They can no longer control access through on-premises services and restricted devices. In the battle to protect your business from cyberattacks while moving with technology trends, Adlumin provides the confidence you need to adopt and protect emerging technologies and services like Office 365.

  1. https://en.wikipedia.org/wiki/Microsoft_365
  2. https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-80308/Microsoft-365-Apps.html
  3. https://docs.microsoft.com/en-gb/microsoft-365/admin/setup/customize-sign-in-page?view=o365-worldwide

New Vulnerabilities Affecting OpenSSL: What you Need to Know

On Tuesday, November 1, 2022, OpenSSL made public two vulnerabilities affecting the most recent versions of the OpenSSL 3.x branch¹. The pair of Common Vulnerabilities and Exposures (CVEs), CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) – sometimes known as “Spooky SSL,” have been patched in the most recently released OpenSSL version, 3.0.7, but remain a potentially significant vulnerability if left unpatched. The severity of these vulnerabilities is exacerbated by the many ways and products OpenSSL is used in.

OpenSSL is a widely popular library used across operating systems, software suites, and packages to provide a basis for establishing secure and encrypted communications sessions. It is commonly used by applications such as Web Servers to establish HTTPS/TLS secured communications, VPNs, and other applications requiring secure sessions such as encrypted mail protocols.

The National Cyber Security Centrum – Netherlands (NCSC-NL) has released a public repository cataloging operating systems and software which use the vulnerable OpenSSL versions². The list is non-exhaustive but provides a good basis for recognizing what types of systems the OpenSSL vulnerabilities intersect with.

CVE-2022-3602 – Remote Code Execution Vulnerability

CVE-2022-3602 is a potential Remote Code Execution (RCE) vulnerability, which may allow unauthorized execution of malicious code on remote systems, either servers or clients using the affected OpenSSL libraries ³. A buffer overrun can be triggered during the verification of the X.509 certificate’s name field, leading to a potential crash (Denial of Service / DOS) or RCE. The overflow happens after the certificate chain signature is verified. Therefore exploitation requires that either a Certificate Authority (CA) has signed the malicious certificate or the application using the OpenSSL library continues certificate verification despite certificate trust failure.

Usage of this CVE has not yet been observed in the wild; however, the timely patching of affected systems is recommended as the best course of action.

CVE-2022-3786 – Denial of Service Vulnerability

CVE-2022-3786 is also a buffer overrun in X.509 certificate name constraint checking ⁴. Attackers can leverage the vulnerability by crafting a malicious email address in the certificate to cause an overflow of an arbitrary number of bytes in memory by using `.’ character (decimal 46). This buffer overflow can result in a crash, causing a denial of service. The vulnerability can affect both OpenSSL provided TLS clients and servers, clients being potentially exploited by connecting to a malicious server and servers being vulnerable to malicious client connections when requesting client authentication.

Like the previous vulnerability, this CVE has not been observed in the wild, but it is recommended that businesses, administrators, and users patch to the latest version of OpenSSL.

Recommendations

Adlumin recommends that all users of OpenSSL and OpenSSL backed software update to the latest versions available in their major branch, especially if leveraging version 3.x.

Additionally, we recommend using a vulnerability management product to regularly scan your environment to identify vulnerabilities and misconfigurations. Adlumin also recommends using the business’s SIEM product to continually search and alert for suspicious executions which may be a result of the exploitation of the vulnerability.

Resources

  1. OpenSSL. (2022, November 1). OpenSSL Security Advisory [November 1 2022]. https://www.openssl.org/news/secadv/20221101.txt. Retrieved November 1, 2022, from https://www.openssl.org/news/secadv/20221101.txt
  2. NCSC-NL. (2022, October 28). OpenSSL-2022/scanning at main · NCSC-NL/OpenSSL-2022. OpenSSL-2022. Retrieved November 2, 2022, from https://github.com/NCSC-NL/OpenSSL-2022/tree/main/scanning
  3. MITRE. (2022, November 1). CVE-2022-3602. CVE. Retrieved November 1, 2022, from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602
  4. MITRE. (2022, November 1). CVE-2022-3602. CVE. Retrieved November 1, 2022, from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602