A threat actor associated with the Clop ransomware gang is exploiting the zero-day vulnerability in Progress Software’s MoveIt Transfer product, according to new research from Microsoft.
The critical vulnerability, tracked as CVE-2023-34362, first came to light May 31 when Progress issued an advisory for the SQL injection flaw. Initially, patches were not available, and Progress urged customers to apply mitigations immediately; updates were released later that day for all affected versions of the managed file transfer (MFT) product.
However, security vendors soon after began to report widespread exploitation of the MoveIt Transfer vulnerability in data theft attacks that began prior to May 31. On Sunday, Microsoft attributed the attacks to a threat actor it calls “Lace Tempest,” based on its new adversary taxonomy. The company said Lace Tempest is known for Clop ransomware operations.
“The threat actor has used similar vulnerabilities in the past to steal data & extort victims,” Microsoft Threat Intelligence wrote on Twitter.
Earlier this year, Clop ransomware actors exploited CVE-2023-0669, a zero-day vulnerability in Fortra’s GoAnywhere MFT software, in a series of data theft and extortion attacks. In the case of the MoveIt Transfer zero-day, Microsoft said Lace Tempest deploys a web shell for data exfiltration purposes following the exploitation of the flaw.
In a blog post Friday, Mandiant reported that it observed data theft attacks on MoveIt Transfer instances that used a custom web shell it calls “Lemurloot.” The web shells are disguised with file names for human.aspx, which is a legitimate component of the MFT software.
Mandiant said it has seen multiple cases where threat actors stole “large volumes of files” from the MoveIt Transfer instances, but the threat might go beyond data stored in the MFT. “LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings,” the blog post said, “suggesting that actors exploiting this vulnerability may be stealing files from Azure in cases where victims are storing appliance data in Azure Blob storage, although it is unclear if theft is limited to data stored in this way.”
Cybersecurity vendor Censys reported on Friday that there are more than 3,000 internet-facing instances of MoveIt Transfer; more than 2,800 of those instances are located in the U.S., and some are used by state and federal government agencies. “Although the exact version of the software cannot be determined with scans, it is highly improbable that all of these hosts have been patched against the newly discovered vulnerability,” the company wrote in the report.
According to Mandiant and other security vendors, the first evidence of CVE-2023-34362’s exploitation occurred on May 27 over Memorial Day weekend. Ransomware gangs have been known to target organizations over long holiday weekends to maximize disruptions.
Progress said its investigation is ongoing. An 8-K filing Monday shed some light on the discovery of CVE-2023-34362. According to the filing, on the night on May 28 Progress “received an initial customer support call indicating unusual activity within their MoveIt Transfer instance.” After investigating the activity, Progress discovered the zero day and on May 30, the company reached out to all affected customers, alerting them of the vulnerability and urging them to take immediate mitigation steps. Progress issued a public security advisory for the flaw the following day, though that advisory did not initially state that exploitation activity had been detected in the wild.
A company spokesperson sent the following statement to TechTarget Editorial: “Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MoveIt customers about the issue and provided immediate mitigation steps. We disabled web access to MoveIt Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MoveIt Transfer customers, and patched and re-enabled MoveIT Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit,” the spokesperson said.
“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MoveIt Transfer and MoveIt Cloud.”
Rob Wright is a longtime technology reporter who lives in the Boston area.