Microsoft has formally tied the ongoing active exploitation of a critical vulnerability in the Progress Software MOVEit Transfer application to a threat actor known as Lace Tempest, which also goes by the name Clop ransomware gang. The Microsoft Threat Intelligence team conveyed through a series of tweets that the exploitation of the flaw is frequently accompanied by the deployment of a web shell equipped with data exfiltration capabilities. The vulnerability identified as CVE-2023-34362 allows attackers to authenticate as any user.
Lace Tempest, also referred to as Storm-0950, operates as a ransomware affiliate and shares similarities with other groups like FIN11, TA505, and Evil Corp. They are also associated with the Cl0p extortion site. This threat actor has a history of exploiting various zero-day vulnerabilities to steal data and extort victims, and most recently, they have been observed leveraging a severe bug in PaperCut servers.
CVE-2023-34362 is an SQL injection vulnerability in MOVEit Transfer, which enables remote, unauthenticated attackers to gain access to the application database and execute arbitrary code. According to data from attack surface management company Censys, it is estimated that over 3,000 exposed hosts are utilizing the MOVEit Transfer service. Mandiant, a subsidiary of Google, has been tracking the activity under the codename UNC4857 and has identified significant tactical connections with FIN11. They have labeled the web shell associated with the threat as LEMURLOOT.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, advising federal agencies to apply patches provided by the vendor before June 23, 2023. This development follows similar instances of zero-day mass exploitation targeting Accellion FTA servers in December 2020 and GoAnywhere MFT in January 2023. It is crucial for users to promptly apply the patches to mitigate potential risks and ensure security.