Zero Day Exploit Prevention and Response Checklist

Over 122 organizations have announced a breach due to the new zero day exploit affecting the MOVEit file transfer software, and that number is expected to climb. This is just one recent example illustrating how hackers wreak havoc with zero day exploit attacks. According to a 2023 report, Mandiant identified 55 zero-day vulnerabilities that were exploited in 2022, leaving cybersecurity teams scrambling. Let’s dive into the details of why these attacks are causing so much damage and look at a case study from an attack, and then we’ll share a checklist of prevention and response techniques to help keep your organization safe.

What is a Zero Day Exploit?

A zero day exploit is when attackers find an unknown software vulnerability and develop an exploit technique to use that vulnerability to attack and gain access to an organization. When a new vulnerability is discovered in software, SaaS apps, or even underlying code libraries (think Log4J), criminals will try to exploit this security gap and attack before you – or the vendor – realize there is a problem. Once criminals know there is a vulnerability, they will quickly use these zero day exploits to gain a foothold in your environment. From there, they can install malware, execute commands, steal data and credentials, and move laterally to expand their reach and privileges. These vulnerabilities are referred to as “zero day” because attacks often happen before the victims, or the manufacturer, know about the security gap far less publish a patch.

 A New Trend in Zero Day Exploits: A MOVEit Case Study

Let’s look at a recent zero-day exploit: the MOVEit Transfer vulnerability that is causing a lot of damage. MOVEit is a file transfer system used by large organizations for sensitive data. On May 27^th, the Clop hacker gang began exploiting MOVEit servers using a zero day vulnerability that enabled them to steal a tremendous amount of sensitive data. In fact, they stole so much data that they apparently needed additional time to identify and sort the victims! Initially, they told companies that use MOVEit to reach out to them by June 14th to learn whether their data was stolen and what the ransom would be to avoid data exposure. Indicators show Clop had been planning this attack for about a year and picked Memorial Day weekend since IT departments usually have fewer people on staff during holiday weekends.

To get an idea of the extent of this breach, our team did a quick search found over 2,500 potential victims worldwide, with 1848 on premises servers in the US. These numbers do not include MOVEit’s SaaS customers, so the total number of impacted organizations is likely much higher. Zellis, the leading payroll service provider in the UK and Ireland, was affected by the MOVEit attack, and the payroll data for huge organizations such as the BBC, British Airways, and Boots have confirmed attacks resulting from this vulnerability. The casualty list is still growing, with the NYC public schools, PwC, major universities, energy providers, and many more. The list grows almost daily in this major, multi-level supply chain breach.

But this new zero day exploit seems to be part of Clop’s new attack playbook. This attack is very reminiscent of the 2021 Accellion file transfer attack, also by Clop, in which they extorted large companies as well as the customers of those companies who had their data stolen. It is also similar is Clop’s recent GoAnywhere attack from February of 2023, in which they attacked secure file sharing using a zero-day vulnerability to steal data for 130 organizations. These zero-day attacks by Clop, and others, are now falling into a pattern. With the dark web marketplace already overflowing with zero day vulnerabilities that are free or for sale inexpensively (check out the recent screen shot from a dark web market below), zero day attacks will continue to be a favorite attack vector for many cyber criminals.

Figure 1: June 2023 screenshot taken by LMG’s research team showing a dark web market offering zero day exploits.

Zero Day Exploit Prevention and Response Checklist

So, what should you do if you are not sure whether you are impacted by MOVEit or a similar type of zero day exploit? A new report from Beazley shows that in Q4 2022, 97% of extortion incidents included data exfiltration. After any confirmed breach, you should assume that at least some of your data has been stolen and activate your investigation, remediation, and recovery processes. You should also patch immediately, and then continue to check for additional patches for the next month or two. When zero-day exploits are announced, there are always multiple investigations that continue for weeks after the announcement. These investigations often result in the exposure of multiple new vulnerabilities that also need to be patched. Here’s a step-by-step checklist of actions you can take to prevent and respond to zero day exploit attacks:

• Monitor your attack surface. Use an attack surface monitoring solution to scan your internet-facing and cloud systems for vulnerabilities, daily is best. Make sure to minimize your attack surface and take proactive steps to resolve weaknesses (regular patching, software updates, etc.).
• Monitor threat intelligence. There are many different free and paid threat intelligence options. From paid commercial platforms to free options such as (our favorite) the CISA Known Exploited Vulnerabilities Catalog, you should be checking threat intelligence daily, or at least weekly, and keep an eye on vendor alerts and cybersecurity news for zero day exploits. In addition, you should also conduct data and an asset inventory so you know what you are trying to protect and can identify if you are at risk from a zero day exploit.
• Evaluate your risk. When a zero-day exploit is identified, you need to understand your likelihood of compromise. Check the affected version of the software (you can check your asset inventory or your change management logs to confirm your version), check with your suppliers, customers and/or partners – anyone with a connected system – to see if you are at risk through your supply chain, and then watch for changes or signs of compromise.
• Conduct forensic preservation. If there’s even a chance that an incident might be a breach, act quickly to contain the situation, but try not to destroy evidence. If you can preserve evidence and rule out a breach, you can dramatically reduce your legal, financial, and reputational damage. Your response processes may be different depending on your cyber insurance coverage. Contact your insurer immediately if you have breach response coverage, so you can take advantage of critical resources such as breach coaches, experienced incident response firms, etc. You’ll want to discuss your risks and responsibilities with your IR team and your attorneys as you triage the situation and develop your initial response strategy. Be aware that these first steps can happen fast – typically in hours.
• Contain the damage. Act quickly to restrict inbound and outbound traffic to minimize the risk of data theft and further compromise. Other typical containment activities may include password resets or system configuration changes.
• Apply emergency patches and software updates. Patches for the zero day exploits may or may not exist; there may also be published indicators of compromise you need to check and mitigation recommendations to implement. Expect vendors to release multiple patches after a zero day exploit is discovered. Unfortunately, any emergency patch can potentially cause issues on production systems, and you have to balance the need for testing with the risk. You should also be aware that hackers may have already exploited your system, in which case a patch will not remove their access.
• Conduct threat hunting. When a zero day exploit is announced, often hackers have already exploited thousands of systems around the world before defenders even know about it. It’s not enough to simply patch and assume you’re good to go. Instead, check and make sure the hackers are really out of your environment. Many of the initial payload drops from an attack are just designed to give the attackers a foothold on your systems. By conducting threat hunting in your environment, you can identify and root out any hackers with persistent access and/or prevent a new malware detonation.

Don’t Forget to Protect Your Supply Chain

Zero-day attacks don’t just affect you, they may also impact your key suppliers, managed service providers, and customers. Don’t assume that these organizations will proactively contact you. Quickly reach out to any organizations that have access to your sensitive data or network resources. Ask them to confirm, in writing, whether they used an affected version of the software, and whether they are assessing if anyone in THEIR supply chain was impacted by the exploit. For more information, check out our blog on supply chain security best practices.

Blog post courtesy of LMG Security.