Three Steps to Prevent a Cybersecurity Breach from MOVEit Exploit: SecurityScorecard’s investigation into Zellis reach uncovers 2,500 exposed MOVEit servers across 790 organizations

Executive Summary

• The recent breach at Zellis, a popular payroll provider, serves as a wake-up call for enterprises to prioritize comprehensive third-party risk management.
• SecurityScorecard leveraged a global network of data and our Attack Surface Intelligence (ASI) platform to identify over 2,500 exposed MOVEit servers across 790 organizations, with hundreds displaying the specific vulnerability that had been exploited at Zellis.
• We gained access to NetFlow data that indicated the exfiltration of large amounts of data from vulnerable MOVEit servers.
• The exploitation of the MOVEit vulnerability takes place through an SQL injection that can lead to remote code execution (RCE), whereby attackers then pivot into additional resources.
• The recent MOVEit exploit campaigns have been attributed to the Cl0p ransomware gang.

How to protect your organization from the MOVEit exploit

1. Promptly identify if you have any MOVEit servers. If you do, immediately close Ports 80/443, plus any additional ports facing the public internet on which the services may be running.  While MOVEit has released updates to address the vulnerability, make sure all vulnerable instances of MOVEit are removed from the public Internet.
2. MOVEit should be behind technologies that provide access to only those who need it via tools such as Zero Trust (e.g. access gateways secured by MFA) or simple allowlists and blocklists.
3. If you run MOVEit within your organization, ensure that the database runs as a specific user that can only interact with MOVEit and not as a superuser with broader access. The exploit utilizes SQL injection to allow attackers to manipulate server databases and execute arbitrary code, resulting in data exfiltration. Because this breach is an SQL injection leading to remote code execution (RCE), the adversary only gains initial access to the database server and user.

Wide-ranging scope and implications of the Zellis breach

SecurityScorecard conducted an extensive investigation into the Zellis breach. This research revealed alarming insights about the scale and persistence of the attack.

The data exfiltration was carried out in several steps:

1. Initial SQL injection scanning
2. Another test to verify the vulnerability
3. Exploitation of the vulnerability via SQL injection
4. A reverse HTTP connection from Zellis affected IP back to the adversary’s infrastructure with a large data transfer

Netflow data from Zellis IP ranges indicated large outbound transfers over HTTPS, which pointed towards the presence of a web shell. Additionally, SecurityScorecard researchers detected exfiltration over SSH to known malicious IP addresses. Further analysis unveiled over 2,500 exposed MOVEit servers across 790 organizations, with several hundred displaying the specific vulnerability exploited in the breach.

Unveiling the attack chain: the swift response to the Zellis breach

Securityscorecard swift identification of the breach at Zellis demonstrates the value of enhanced threat intelligence in detecting and responding to cyber threats. By leveraging Attack Surface Intelligence (ASI), the team was able to identify vulnerable IP addresses related to MOVEit servers within minutes.

ASI identifies MOVEit servers by simply typing this query in the search bar: http_favicon_hash:'Unknown favicon MD5: 9DFFE2772E6553E2BB480DDE2FE0C4A6'</nas/content/live/securitysc2stg>. You can then see all of the potentially vulnerable servers. We used the HTTP Favicon Hash filter recommended by the security community to identify specific instances.

The MD5 hash specified is a hash of the MOVEit software’s browser favicon for the specific version that may be affected. Combining Attack Surface Intelligence with NetFlow data, the SecurityScorecard team traced the attack chain and identified the exact attack vector against Zellis’s affected IP. This powerful and proactive approach allowed SecurityScorecard to promptly alert customers about the breach before it became publicly known.

Elevating cybersecurity defenses: safeguard against third-party risks with enhanced threat intelligence

The Zellis breach is a critical reminder of the importance of comprehensive third-party risk management and proactive cybersecurity measures. The incident exposed the risks associated with a single vulnerability in widely-used third-party enterprise software and highlighted the necessity of continuous vigilance.

Enhanced threat intelligence solutions like SecurityScorecard’s Attack Surface intelligence enables organizations to identify vulnerabilities, trace attack chains, and respond swiftly to cyber threats. In today’s threat landscape, investing in robust threat intelligence and proactive risk management practices is paramount to safeguarding the integrity of digital supply chains and protecting sensitive data from malicious actors.