Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Kroll

MOVEit Vulnerability Investigations Uncover Additional Exfiltration Method

Kroll has identified two different file exfiltration methodologies leveraged by threat actors, primarily CLOP, during recent engagements involving the exploitation of the MOVEit vulnerability (CVE-2023-34362) throughout May and June 2023. In the vast majority of Kroll’s global MOVEit investigations, the primary data exfiltration method consisted of utilizing the dropped web shell to inject a session or create a malicious account (named Method 1 for this piece).

Proof of Concept Developed for Ghostscript CVE-2023-36664 Code Execution Vulnerability

Ghostscript, an open-source interpreter for the PostScript language and PDF files, recently disclosed a vulnerability prior to the 10.01.2 version. This vulnerability CVE-2023-36664 was assigned a CVSS score of 9.8 that could allow for code execution caused by Ghostscript mishandling permission validation for pipe devices (with the %pipe% or the | pipe character prefix). Debian released a security advisory mentioning possible execution of arbitrary commands.

GOOTLOADER Malware Case Study - Kroll Cyber Risk

In Q1 2023, Kroll Cyber Threat Intelligence analysts noticed an uptick in GOOTLOADER malware infections leading to large-scale exfiltration of sensitive data, and even extortion. In this video, Threat Intelligence expert, Ryan Hicks, walks through a GOOTLOADER malware case study and provides recommendations for how to prevent such an attack.

Deep Dive into GOOTLOADER Malware and Its Infection Chain

Kroll has analyzed incidents throughout Q1 2023 where drive-by compromise was the initial infection vector for GOOTLOADER malware. It is likely that the threat actors are utilizing SEO to drive individuals to either their own malicious website or to infected WordPress sites. These sites are then used to host documents that would be attractive to employees within the legal and professional services sectors.

Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021

NOTE: The MOVEit Transfer vulnerability remains under active exploitation, and Kroll experts are investigating. Expect frequent updates to the Kroll Cyber Risk blog as our team uncovers more details. On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362).

Responding to the Critical MOVEit Transfer Vulnerability (CVE-2023-34362)

On May 31, 2023, Kroll received multiple reports that a zero-day vulnerability in MOVEit Transfer was being actively exploited to gain access to MOVEit servers. Kroll has observed threat actors using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion lifecycles. This vulnerability may also enable a threat actor to move laterally to other areas of the network.

Q1 2023 Threat Landscape Report: Ransomware Groups Splinter, Swarm Professional Services

Kroll’s findings for Q1 2023 highlight fragmented threat actor groups and a continued evolution in attack methods and approaches, which, alongside other key shifts in behavior, have concerning implications for organizations in many sectors. In Q1 2023, Kroll observed a 57% increase in the overall targeting of the professional services sector from the end of 2022.