The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are actively exploiting a critical flaw recently revealed in Progress Software’s MOVEit Transfer application to drop ransomware. issued a joint recommendation on
“The Cl0p ransomware group, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. There are,” the official said.
“An internet-facing MOVEit Transfer web application was infected with a web shell named LEMURLOOT and used to steal data from the underlying MOVEit Transfer database.”
The prolific cybercriminal gang has since issued an ultimatum to several affected companies, asking them to contact them by June 14, 2023 or risk exposing all their stolen data. there is
Microsoft tracks this activity under the name Lace Tempest (aka Storm-0950). It has also been implicated in exploiting a critical security vulnerability in the PaperCut server.
Active since at least February 2019, this threat actor is involved in a wide range of activities in the cybercriminal ecosystem, including operating Ransomware as a Service (RaaS) and acting as an affiliate of other RaaS schemes.
It has also been observed acting as an Initial Access Broker (IAB) to profit from access to compromised corporate networks, and also acting as a customer of other IABs. It highlights the interconnected nature of situations.
 |
| Source: Kroll |
Exploitation of CVE-2023-34362, a SQL injection flaw in MOVEit Transfer, allows attackers to continuously pursue zero-day exploits in internet-facing applications and use it to their advantage to extort victims. It’s a sign that
It is worth noting that Cl0p has carried out similar large-scale exploits over the past year against other managed file transfer applications such as Accellion FTA and GoAnywhere MFT.
Attack surface management firm Censys said it has seen the number of hosts running exposed MOVEit Transfer instances drop from over 3,000 to just under 2,600.
“Several of these hosts are associated with high-profile organizations, including multiple Fortune 500 companies and state and federal government agencies,” notes Censys, citing financial, Emphasis on technology, healthcare.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
crawlIn an analysis shared with The Hacker News, indicates that the Clop threat actor likely went back to April 2022 and July 2021 to experiment with how to exploit this particular flaw. He said he identified the activity.
This discovery is particularly important as it helps reveal the technical expertise of the attackers and their plans to prepare for the intrusion long before the recent wave of exploits began.
“The commands during the July 2021 period appear to have been executed over a longer period of time, and testing was manual at that time before the group created an automated solution to begin testing in April 2022. It suggests that it could have been a process,” Kroll said.
The July 2021 exploit is said to have originated from the IP address (45.129.137).[.]232) This was previously attributed to Cl0p actors in connection with attempts to exploit a flaw in the SolarWinds Serv-U product around the same time.
Security researcher Kevin Beaumont said, “This is the third time in three years that the Cl0p ransomware group has used zero-day web apps to carry out extortion.” “In all three cases, they were branding-safe products.”
