Can 'Mad Libs for incident response' prevent the next MOVEit fiasco?

Black Hat While MOVEit is just the latest example of a managed file transfer (MFT) tool being exploited by criminals to maximize the amount of data – and money –— they can grab, these types of attacks aren't going to stop anytime soon. From the miscreant perspective, they represent the perfect crime.

That is, unless the defenders can get out ahead of the next MFT mass exploitation. John Dwyer, head of research for IBM Security X-Force, claims his team has developed a framework to make this happen.

Dwyer will detail this strategy during a Black Hat talk this week. The Register caught up with him prior to Hacker Summer Camp.

"It would be criminal not to learn from our past mistakes," Dwyer said.

The reason why MFTs make such attractive targets for criminals is because they are essentially a one-stop shop for extortion, he explained. 

"If you think about the goals and objectives of attackers, they basically boil down to two things: I'm going to steal data and then extort you against the theft of that data. Or I'm going to disrupt your operations and extort you against recovery of those systems," Dwyer told The Register.

"MFTs, by nature of their design, are meant to be a system that is exposed to external parties, and they transact and transfer sensitive data between enterprises," he continued. 

Hitting the extortion jackpot

This means that they are usually exposed to the internet, and if crooks can find a security hole-in-one, they don't need to establish persistence in the environment or move laterally looking for sensitive data. Exploiting a flaw in an MFT allows attackers to move right to the data exfiltration part of the attack – making it quick, relatively easy, and profitable for the criminals.

"So it fits into that nice little Venn diagram of what does an attacker need to do to cause enough pressure or create enough impact that an organization could be convinced to pay," Dwyer explained.

Typical behavior

Some of the organizations compromised by the Clop ransomware via the MOVEit vulnerability likely have an answer. Maximus – which does the admin for US government programs like Medicaid and Medicare – disclosed that personal information belonging to as many as 11 million individuals was "accessed" by Clop.  

Nearly 600 organizations' and 40 million individuals' data has been compromised because of the MOVEit bug to date, according to Emsisoft security researchers. 

• Medical files of 8M-plus people fall into hands of Clop via MOVEit mega-bug
• MOVEit body count closes in on 400 orgs, 20M+ individuals
• Crooks pwned your servers? You've got four days to tell us, SEC tells public companies
• Five Eyes nations detail dirty dozen most exploited vulnerabilities

Forta's GoAnywhere software is another MFT that was also exploited by Clop earlier this year and used to steal customers' data.

X-Force analyzed these and other MFT attacks and found that while the software and the vulnerabilities changed over the years, the criminals' behavior remained largely the same. 

"All you really need to do is know the context in which the attacker is going to be interacting with the system to know what it's going to look like when they're exploited, and this can be repeated across different software,"  Dwyer said.

MFT detection and response framework

The various MFTs share similar architecture, which means that defenders' approach to detection and response should also follow a set path. IBM's security shop used these when learning to develop a framework for detection and response for MFTs, which X-Force released to the community today via GitHub. 

It includes 13 common MFT tools that the X-Force team says were frequently exposed to the internet: Cerberus FTP Server, FileZilla, Cornerstone MFT, Solawinds Serv-U, JSCAPE, OracleMFT, WingFTP, Aspera, Diplomat MFT, MyWorkDrive, EasyFTPServer FTPD, ShareFile, and ShareTru.

Dwyer describes it as "Mad Libs for incident response." 

The IR team plugs in unique process names, paths, ports, log files, and the framework already knows how each software tool works. X-Force tested the framework against known CVEs and previous exploits, and found that "the majority of the time" it accurately detected and responded to these incidents.

Looking ahead to future such events, Dwyer said this will help IR teams more quickly respond and hopefully prevent mass exploitation.

"Now you have your playbook, so there isn't that 24, 48 hours everyone's scrambling to understand what this piece of software is and how it's put together," Dwyer said. ®