BOOK THIS SPACE FOR ADARTICLE AD
The recent MOVEit zero-day attack has been linked to a known ransomware group, reportedly exploiting the vulnerability to pilfer data from numerous organizations.
On May 31, Progress Software notified customers that its MOVEit Transfer managed file transfer (MFT) software is affected by a critical SQL injection vulnerability, permitting unauthorized access to databases associated with the product.
The flaw has now been assigned the CVE identifier CVE-2023–34362 and has been remedied with the release of versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). MOVEit Cloud was also impacted, but a fix has been implemented, relieving users from taking any action.
Cybersecurity firms including Huntress, Rapid7, TrustedSec, GreyNoise, Mandiant, and Volexity have reported observing attacks involving the MOVEit zero-day. Mandiant noted the initial attacks on May 27, while threat intelligence firm GreyNoise detected scanning activity potentially linked to this vulnerability as early as March.
Perpetrators in the observed attacks have exploited the vulnerability to deploy a webshell/backdoor, enabling them to exfiltrate data uploaded by MOVEit Transfer customers.
Mandiant has ascribed the attack to UNC4857, an emerging threat cluster, and dubbed the delivered webshell “LemurLoot.” The security firm has identified victims in the US, Canada, and India, with instances of data theft occurring within minutes of webshell deployment in certain cases.
“The seemingly opportunistic nature of this campaign and subsequent data theft activity is consistent with the behavior of extortion actors, which implies that victim organizations may receive ransom emails in the coming days to weeks,” warned Mandiant.