On May 31, Progress Software issued a warning regarding the vulnerability of its MOVEit Transfer managed file transfer (MFT) software to a critical SQL injection. This vulnerability can be exploited by an unauthorized attacker to gain access to MOVEit Transfer databases. The vendor has stated that, depending on the database engine in use (MySQL, Microsoft SQL Server, or Azure SQL), the attacker may be able to deduce information about the database's structure and contents, as well as execute SQL statements that modify or delete database elements.
Multiple cybersecurity firms have reported instances of attacks involving the MOVEit zero-day vulnerability. These firms include Huntress, Rapid7, TrustedSec, GreyNoise, Mandiant, and Volexity. The initial attacks were first observed by Mandiant on May 27th. However, GreyNoise, a threat intelligence firm, detected scanning activity that may be linked to this flaw as early as March. In these attacks, malicious actors have taken advantage of the vulnerability to deploy a webshell/backdoor, which enables them to pilfer data uploaded by MOVEit Transfer clients.
The attack has been attributed to UNC4857, a recently identified threat cluster, and the webshell utilized has been named LemurLoot by Mandiant. The security firm has observed instances of victimization in the United States, Canada, and India, with instances of data theft occurring within mere minutes of the webshell's deployment in certain cases.
Mandiant stated that the campaign's apparent opportunistic nature and the ensuing data theft activity are in line with the behavior of extortion actors. Consequently, organizations that fall prey to this campaign may receive ransom emails within the next few days or weeks.
The organization has observed certain similarities between UNC4857 and activities previously attributed to the FIN11 and Cl0p operations. However, it has been determined that there is insufficient evidence to draw a definitive conclusion.
In contrast, Microsoft is confident that the Cl0p ransomware attack was carried out by the threat actor behind it. The technology giant identifies the group as Lace Tempest and cites overlaps with FIN11 and TA505 activity.
The Cl0p ransomware group has previously taken advantage of a vulnerability in Fortra's GoAnywhere MFT software to steal data from numerous organizations.
According to the Shodan search engine, there are approximately 2,500 internet-exposed MOVEit systems, primarily in the United States. The Censys search engine has identified over 3,000 hosts, including those in the financial, education, and government sectors.
Security researcher Kevin Beaumont, who has been monitoring the attacks, has knowledge of data being stolen from a "double-digit number" of organizations, including financial institutions and US government agencies.
The US Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2023-34362 in its Known Exploited Vulnerabilities Catalog and has instructed government agencies to promptly patch it.