Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations

The recent MOVEit zero-day attack has been linked to a known ransomware group, which has reportedly exploited the vulnerability to steal data from dozens of organizations.

Progress Software informed customers on May 31 that its MOVEit Transfer managed file transfer (MFT) software is affected by a critical SQL injection vulnerability that can be exploited by an unauthenticated attacker to access databases associated with the product. 

The CVE identifier CVE-2023-34362 has now been assigned to the flaw, which has been patched with the release of versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5) and 2023.0.1 (15.0.1). MOVEit Cloud was also impacted, but a fix has been deployed and users do not need to take any action.

Several cybersecurity firms have reported seeing attacks involving the MOVEit zero-day, including Huntress, Rapid7, TrustedSec, GreyNoise, Mandiant, and Volexity.

Mandiant reported seeing the first attacks on May 27, but threat intelligence firm GreyNoise observed scanning activity possibly related to this flaw in early March. In the observed attacks, threat actors have exploited the vulnerability to deliver a webshell/backdoor that allows them to steal data uploaded by MOVEit Transfer customers.

Mandiant has attributed the attack to UNC4857, a new threat cluster, and named the delivered webshell LemurLoot. The security firm has seen victims in the US, Canada and India, with data theft occurring within minutes of the webshell deployment in some cases. 

“The seemingly opportunistic nature of this campaign and subsequent data theft activity is consistent with activity that we’ve seen from extortion actors, which means victim organizations could potentially receive ransom emails in the coming days to weeks,” Mandiant said.

The company has seen some similarities between UNC4857 and activities previously attributed to the FIN11 and Cl0p operations, but said there was not enough evidence to reach a conclusion.

Microsoft, on the other hand, is confident that the threat actor behind the Cl0p ransomware is responsible for the attack. The tech giant tracks the group as Lace Tempest, and points to overlaps with FIN11 and TA505 activity. 

The Cl0p ransomware group previously exploited a vulnerability in Fortra’s GoAnywhere MFT software to steal data from many organizations. 

The Shodan search engine shows roughly 2,500 internet-exposed MOVEit systems, mostly in the United States. The Censys search engine has found more than 3,000 hosts, including in the financial, education and government sectors.  

Security researcher Kevin Beaumont, who has been monitoring the attacks, is aware of data being stolen from a ‘double digit number’ of organizations, including financial companies and US government agencies.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-34362 to its Known Exploited Vulnerabilities Catalog, instructing government agencies to patch it as soon as possible. 

Rapid7 updated its blog post over the weekend to describe a method that can be used to determine what data and how much of it was exfiltrated from the environments of MOVEit customers.

Related: GoAnywhere Zero-Day Attack Hits Major Orgs  

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery