Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to the threat actor it tracks as Tempest lace.
“Exploits are often followed by the application of a web shell with data exfiltration capabilities,” Microsoft’s Threat Intelligence team said in a series of tweets today. “CVE-2023-34362 allows an attacker to authenticate as any user.”
Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. He was also found to be operating the blackmail site Cl0p.
Threat perpetrators also have a track record of exploiting different zero-day vulnerabilities to siphon data and blackmail victims, with the group recently observing weaponization of severe bugs in PaperCut servers.
CVE-2023-34362 is related to a SQL injection vulnerability in Transfer MOVEit that could allow an unauthenticated remote attacker to gain access to a database and execute arbitrary code.
It is believed there are at least more than 3,000 exposed hosts using the MOVEit Transfer service, according to data from attack surface management firm Censys.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Google-owned Mandiant, which tracks activity under the moniker UNC4857 and has labeled the web shell LEMURLOOT, said it had identified broad tactical connections with FIN11.
The US Cyber and Infrastructure Security Agency (CISA) last week added the flaw to its Exploited Vulnerabilities catalog (KEV), recommending federal agencies apply the vendor-provided patch by June 23, 2023.
The development follows similar zero-day mass exploits of Accellion FTA servers in December 2020 and GoAnywhere MFT in January 2023, so users should apply patches as soon as possible to safeguard against potential risks.