The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software's MOVEit Transfer application to drop ransomware.
"The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer," the agencies said.
"Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases."
The prolific cybercrime gang has since issued an ultimatum to several impacted businesses, urging them to get in touch by June 14, 2023, or risk getting all their stolen data published.
Microsoft is tracking the activity under the moniker Lace Tempest (aka Storm-0950), which has also been implicated in the exploitation of a critical security vulnerability in PaperCut servers.
Active since at least February 2019, the adversary has been linked to a wide range of activities in the cybercrime ecosystem, including operating a ransomware-as-a-service (RaaS) and acting as an affiliate for other RaaS schemes.
It has also been observed acting as an initial access broker (IAB) to profit off access to compromised enterprise networks and also as a customer of other IABs, underscoring the interconnected nature of the threat landscape.
Source: Kroll
The abuse of CVE-2023-34362, an SQL injection flaw in MOVEit Transfer, is a sign of the adversary continuously seeking zero-day exploits in internet-facing applications and using them to their advantage in order to extort victims.
Huntress has since revealed that the vulnerability can further be exploited by an unauthenticated actor to achieve remote code execution, potentially culminating in the deployment of ransomware or other payloads.
It's worth noting that Cl0p carried out similar mass exploitation attacks on other managed file transfer applications such as SolarWinds Serv-U Managed File Transfer, Accellion FTA, and GoAnywhere MFT since December 2020.
Attack surface management firm Censys said it has observed a drop in the number of hosts running exposed MOVEit Transfer instances from over 3,000 hosts to little more than 2,600.
"Several of these hosts are associated with high-profile organizations, including multiple Fortune 500 companies and both state and federal government agencies," Censys noted, highlighting finance, technology, and healthcare as the sectors with the most exposures.
"The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software's managed file transfer (MFT) solution known as MOVEit Transfer," the agencies said.
"Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases."
The prolific cybercrime gang has since issued an ultimatum to several impacted businesses, urging them to get in touch by June 14, 2023, or risk getting all their stolen data published.
Microsoft is tracking the activity under the moniker Lace Tempest (aka Storm-0950), which has also been implicated in the exploitation of a critical security vulnerability in PaperCut servers.
Active since at least February 2019, the adversary has been linked to a wide range of activities in the cybercrime ecosystem, including operating a ransomware-as-a-service (RaaS) and acting as an affiliate for other RaaS schemes.
It has also been observed acting as an initial access broker (IAB) to profit off access to compromised enterprise networks and also as a customer of other IABs, underscoring the interconnected nature of the threat landscape.
The abuse of CVE-2023-34362, an SQL injection flaw in MOVEit Transfer, is a sign of the adversary continuously seeking zero-day exploits in internet-facing applications and using them to their advantage in order to extort victims.
Huntress has since revealed that the vulnerability can further be exploited by an unauthenticated actor to achieve remote code execution, potentially culminating in the deployment of ransomware or other payloads.
It's worth noting that Cl0p carried out similar mass exploitation attacks on other managed file transfer applications such as SolarWinds Serv-U Managed File Transfer, Accellion FTA, and GoAnywhere MFT since December 2020.
Attack surface management firm Censys said it has observed a drop in the number of hosts running exposed MOVEit Transfer instances from over 3,000 hosts to little more than 2,600.
"Several of these hosts are associated with high-profile organizations, including multiple Fortune 500 companies and both state and federal government agencies," Censys noted, highlighting finance, technology, and healthcare as the sectors with the most exposures.