Clop Ransomware Gang May Be Aware of the Transfer Vulnerability of MOVEit Since 2021
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint advisory on the active exploitation of a recently disclosed critical flaw in Progress Software’s Transfer MOVEit application to stop ransomware.
“Cl0p Ransomware Gang, also known as TA505, has reportedly begun exploiting a previously unknown SQL injection vulnerability in Progress Software’s (MFT) managed file transfer solution known as MOVEit Transfer,” the agency said. said.
“The Internet-facing MOVEit Transfer web application was infected with a web shell named LEMURLOOT, which was then used to steal data from the underlying MOVEit Transfer database.”
A prolific cybercrime gang ever since issued an ultimatum to some of the affected businesses, urging them to contact them by June 14, 2023, or risk publishing all of their stolen data.
Microsoft is tracking activity under the moniker Lace Tempest (aka Storm-0950), which was also implicated in exploiting a critical security vulnerability in PaperCut servers.
Active since at least February 2019, adversary has been associated with various activities within the cybercrime ecosystem, including operating ransomware-as-a-service (RaaS) and acting as an affiliate for other RaaS schemes.
It has also been observed acting as an early access broker (IAB) to benefit from access to compromised enterprise networks as well as other IAB customers, underscoring the interconnected nature of the threat landscape.
 |
| Source: Kroll |
Abuse CVE-2023-34362the SQL injection flaw in MOVEit Transfer, is a sign of adversaries constantly looking for zero-day exploits in internet-connected applications and using them to their advantage to extort victims.
It should be noted that Cl0p carried out similar mass exploit attacks on other managed file transfer applications such as Accellion FTA and GoAnywhere MFT over the past year.
Attack the surface management firm Censys said it has observed a drop in the number of hosts running open MOVEit Transfer instances from over 3,000 hosts to over 2,600.
“Several of these hosts are associated with well-known organizations, including several Fortune 500 companies and state and federal government agencies,” Censys said, highlighting finance, technology and healthcare as the sectors with the most exposure.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!
Krollin an analysis shared with The Hacker News, said they identified activity indicating that the Clop threat actor was likely experimenting with ways to exploit this particular vulnerability in April 2022 and as far back as July 2021.
This finding is significant because it serves to illustrate the attacker’s technical expertise and the planning that had gone into carrying out the intrusion long before the recent wave of exploits began.
“Commands over the July 2021 timeframe appear to be running for a longer time, suggesting that testing may have been a manual process at that point before the group created an automated solution to start testing in April 2022,” Kroll said.
The July 2021 exploit is said to originate from an IP address (45.129.137(.)232) previously associated with actor Cl0p in connection with an attempt to exploit a weakness in SolarWinds’ Serv-U product at around the same time.
“This is the third time the Cl0p ransomware group has used zero day in a web application for extortion in three years,” security researcher Kevin Beaumont said. “In all three cases, they are products with safety in branding.”
