MOVEit over SolarWinds \u2014 The largest and most successful ransomware attack ever recorded is happening. Right now. It\u2019s attacking healthcare and financial institutions with high rates of success, and recently stole sensitive data of 4 million more healthcare patients<\/a>. It uses something called CL0P ransomware, and the threat actor is a well-known criminal group with the name FIN11. Many organizations are finding it difficult to stop the attack because they have no way to access infected devices, take them offline, patch, or even replace them. So, what exactly is going on?<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”3_5,2_5″ _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”3_5″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n FIN11 is a cybercriminal group that has been active since 2016 or before, originating from the <\/span>Commonwealth of Independent States (CIS)<\/span><\/a>. While the group has historically been associated with widespread phishing campaigns, their focus has shifted towards other initial access vectors. FIN11 often runs high-volume operations targeting industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP).<\/span><\/p>\n FIN11 is responsible for multiple widespread, high-profile intrusion campaigns leveraging zero-day vulnerabilities, and the group likely has access to the networks of many more organizations than it is able to successfully monetize. Despite this, they\u2019re currently attacking MOVEit, a well-known SaaS provider who relies on a file transfer appliance called Accellion lFile Transfer Appliance (FTA). This legacy product remains unpatched, which has led to the breach of many Fortune 100 companies and state and federal agencies.<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][et_pb_column type=”2_5″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_image src=”https:\/\/zpesystems.com\/wp-content\/uploads\/2023\/07\/FIN11.webp” alt=”FIN11″ title_text=”FIN11″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n The ransomware attack began with several Accellion FTA customers, including those in industries like healthcare, legal, finance, retail, and telecom. Companies such as Jones Day Law, Kroger, Singtel, and many others had no idea that they had been attacked, because the initial breach was quiet and headless.<\/span> Their only indication came after receiving a threatening email aimed at extortion.\u00a0<\/span><\/p>\n In this email, the group threatened to publish stolen data on the \u201cCL0P^_- LEAKS\u201d .onion website, according to an investigation from Accellion. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.<\/span><\/p>\n According to the investigation, four zero-day security holes were exploited in the attacks:<\/span><\/p>\n And, the published victim data appears to have been stolen using a \u201cWEB SHELL\u201d. These web shells give remote administrative access to the web server and create a jumping off point to attack the rest of the internal network. Mandiant, a well-known cyber investigation arm of Google, added, \u201cThe exfiltration activity has affected entities in a wide range of sectors and countries\u201d (Threatpost). Exfiltration is the unauthorized removal of important or damaging data from an organization.<\/span><\/p>\n However the biggest problem is that these web shells are what researchers call \u201cPERSISTENCE\u201d. This means that an attacker can remain in your network indefinitely to continue damaging and attacking your resources. Researchers call these \u201cAPTs,\u201d or Advanced Persistent Threats.<\/span><\/p>\n The ransomware attack is still going strong because there\u2019s no patch available. According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang began exploiting a previously unknown SQL injection vulnerability (<\/span>CVE-2023-34362<\/span><\/a>) in Accelion\u2019s appliance that is the backbone of a solution known as Progress Software’s MOVEit Transfer service. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505, which is the group responsible for the Dridex trojan and Locky ransomware, conducted zero-day-exploit-driven campaigns against Accellion FTA devices in 2020 and 2021, and Fortra\/Linoma GoAnywhere MFT servers in early 2023.<\/span><\/p>\n What most organizations want to know is: How do you quickly respond to issues like these? How can you be properly prepared to respond to an issue you didn\u2019t cause or didn\u2019t expect?<\/span><\/p>\n Patching is a good response. However, it takes an average of 205 days to patch a recently known zero-day exploit like the MOVEit vulnerability. While patching alone is typically the ideal response, it isn\u2019t automatic nor can it be done quickly.<\/span><\/p>\n Another approach involves removing the offending software or appliance, or cutting off access to the software or appliance. But once you remove this access, how do you continue normal operations, and how can you easily bring the software\/appliance back online? Without adequate infrastructure in place, physically deploying to each site is not practical, especially for distributed organizations.<\/span><\/p>\n CISA and the FBI encourage organizations to implement the recommendations in the Mitigations section of this <\/span>CSA<\/span><\/a> to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents. The Mitigations section describes many approaches, including patching, removing software\/appliance access, and implementing a recovery plan. But all of these take too much time and too many resources, which leaves organizations vulnerable as they scramble to create an adequate response.<\/span><\/p>\n The great news is, organizations can cover all their bases without having to reinvent the wheel. This approach is recommended in one of CISA\u2019s recent directives, and gives organizations somewhat of a silver bullet that allows them to quickly defeat ransomware and remain prepared for any future attack.<\/span><\/p>\n CISA\u2019s recent directive (<\/span>23-02<\/span><\/a>), which addresses the vulnerability of Internet-exposed management interfaces, calls for organizations to create an isolated management infrastructure (IMI) via out-of-band connectivity. This is a drop-in solution that the military, telcos, and hyperscalers\/cloud companies use to respond to widespread ransomware and other issues impacting security and resilience. This approach \u2014 which ZPE Systems has perfected in the last decade with the help of Big Tech \u2014\u00a0gives organizations a completely separate control plane through which they can monitor and manage their entire IT infrastructure in a safe and dedicated fashion.<\/span><\/p>\n Isolated management infrastructure consists of the hardware and software that create a management network that\u2019s fully separate from other production and management networks. The key to this is in out-of-band connectivity, which is defined as connectivity other than TCP\/IP. Out-of-band can include direct USB, serial, or even non-routed zero-trust connections to crown-jewel assets.<\/span><\/p>\n Essentially, the IMI gives an organization complete oversight and control of their widespread IT infrastructure, in a way that is secure and accessible only to their IT teams.<\/span><\/p>\n In this diagram, the production infrastructure (blue ring) sits at each distributed location. The out-of-band infrastructure for LAN (OOBI-LAN) is the green ring and surrounds the production infrastructure with one layer of isolated management. The OOBI-WAN (orange ring) is what provides a second layer of isolated management, which teams can access from a central or remote location, to gain access to the OOBI-LAN and ultimately the production infrastructure.<\/span><\/p>\n Knowing these assets and providing access across the organization can be easy and does not have to disrupt current operations.\u00a0<\/span><\/p>\n In the ongoing FIN11 ransomware attack, Internet-facing applications are targets of the zero-day exploit. This means that no amount of security solutions can pre-mitigate the attack (i.e., there\u2019s nothing you can do to stop it). This is where IMI shines.<\/span><\/p>\n Remember the OOBI-LAN\/OOBI-WAN diagram? Here\u2019s a zoomed-in view of the isolated management infrastructure sitting beside the production infrastructure. The IMI connects via serial, Ethernet, and USB to production gear, and provides the necessary functions (routing, storing golden images, hosting jumpbox tools, etc.) to recover from attack. But how?<\/span><\/p>\n IT teams can use OOBI-WAN to remotely access their OOBI-LAN and production gear. They can pull affected devices offline and bring them in for forensics, which takes place in an <\/span>Isolated Recovery Environment (IRE)<\/span><\/a>. This means these assets and networks are still reachable by analysts and responders, but isolated from other vulnerable assets. This allows an organization to quickly and even automatically deploy tools and resources inside of this environment through devices like ZPE Systems\u2019 Nodegrid.<\/span><\/p>\n To combat the FIN11 attack, organizations don\u2019t need to unplug cables or shut their devices off. They can instead deploy their IMI as the framework for closing the attack surface while maintaining access and critical data to aid in recovery.<\/span><\/p>\n Don\u2019t wait until the next attack to shore up your defenses. ZPE Systems has worked with Big Tech for ten years developing the isolated management infrastructure. It\u2019s now available inside the Network Automation Blueprint, and walks you through how to implement your own IMI. Download the blueprint now to stay ready for any attack.<\/span><\/p>\n [\/et_pb_text][et_pb_button button_url=”https:\/\/zpesystems.com\/network-automation-blueprint\/” button_text=”Download blueprint” _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][\/et_pb_button][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.17.6″ _module_preset=”default” width=”100%” locked=”off” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.17.6″ _module_preset=”default” global_colors_info=”{}”][et_pb_text admin_label=”Text” _builder_version=”4.23.1″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]<\/p>\n True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:<\/span><\/p>\n [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":" The most successful ransomware attack ever is happening right now. See why isolated management infrastructure is the only way to save your organization.<\/p>\n","protected":false},"author":5,"featured_media":36041,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","content-type":"","footnotes":""},"categories":[98,103,156,101,93,82,96,162,35,158,97,134],"tags":[],"class_list":["post-36037","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-logging","category-improve-network-security","category-micro-segmentation","category-minimize-impact-of-disruptions","category-network-automation","category-out-of-band-management","category-sd-wan","category-secops","category-sase","category-security-service-edge-sse","category-user-management","category-zero-trust-security"],"yoast_head":"\nThe group responsible for the attack<\/h1>\n
How did the ransomware attack start?<\/h2>\n
<\/span><\/p>\n\n
Why is the ransomware attack still going strong?<\/h2>\n
What approach does CISA recommend to address ransomware attacks?<\/h2>\n
What is isolated management infrastructure?<\/h3>\n
![\"ZPE](\"https:\/\/zpesystems.com\/wp-content\/uploads\/2023\/05\/microsoftteams-image-8-1.webp\")
<\/p>\nHow can IMI stop the FIN11 ransomware attack?<\/h2>\n
![\"Isolated](\"https:\/\/zpesystems.com\/wp-content\/uploads\/2023\/07\/Isolated-Management-Network-Diagram.png\")
<\/p>\nGet the blueprint for isolated management infrastructure<\/h2>\n
Get in touch with me!<\/h2>\n
\n