Cybersecurity

Clop Ransomware Gang May Be Aware of the Transfer Vulnerability of MOVEit Since 2021


๎ ‚June 08, 2023๎ „Ravie LakshmananRansomware / Zero-Day

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint advisory on the active exploitation of a recently disclosed critical flaw in Progress Software’s Transfer MOVEit application to stop ransomware.

“Cl0p Ransomware Gang, also known as TA505, has reportedly begun exploiting a previously unknown SQL injection vulnerability in Progress Software’s (MFT) managed file transfer solution known as MOVEit Transfer,” the agency said. said.

“The Internet-facing MOVEit Transfer web application was infected with a web shell named LEMURLOOT, which was then used to steal data from the underlying MOVEit Transfer database.”

A prolific cybercrime gang ever since issued an ultimatum to some of the affected businesses, urging them to contact them by June 14, 2023, or risk publishing all of their stolen data.

Cyber โ€‹โ€‹security

Microsoft is tracking activity under the moniker Lace Tempest (aka Storm-0950), which was also implicated in exploiting a critical security vulnerability in PaperCut servers.

Active since at least February 2019, adversary has been associated with various activities within the cybercrime ecosystem, including operating ransomware-as-a-service (RaaS) and acting as an affiliate for other RaaS schemes.

It has also been observed acting as an early access broker (IAB) to benefit from access to compromised enterprise networks as well as other IAB customers, underscoring the interconnected nature of the threat landscape.

MOVEit Transfer Cl0p Ransomware
Source: Kroll

Abuse CVE-2023-34362the SQL injection flaw in MOVEit Transfer, is a sign of adversaries constantly looking for zero-day exploits in internet-connected applications and using them to their advantage to extort victims.

It should be noted that Cl0p carried out similar mass exploit attacks on other managed file transfer applications such as Accellion FTA and GoAnywhere MFT over the past year.

MOVEit Transfer Cl0p Ransomware

Attack the surface management firm Censys said it has observed a drop in the number of hosts running open MOVEit Transfer instances from over 3,000 hosts to over 2,600.

“Several of these hosts are associated with well-known organizations, including several Fortune 500 companies and state and federal government agencies,” Censys said, highlighting finance, technology and healthcare as the sectors with the most exposure.

UPCOMING WEBINARS

๐Ÿ” Mastering API Security: Understanding Your True Attack Surface

Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards tight security. Join our insightful webinar!

Join a Session

Krollin an analysis shared with The Hacker News, said they identified activity indicating that the Clop threat actor was likely experimenting with ways to exploit this particular vulnerability in April 2022 and as far back as July 2021.

This finding is significant because it serves to illustrate the attacker’s technical expertise and the planning that had gone into carrying out the intrusion long before the recent wave of exploits began.

MOVEit Transfer Cl0p Ransomware

“Commands over the July 2021 timeframe appear to be running for a longer time, suggesting that testing may have been a manual process at that point before the group created an automated solution to start testing in April 2022,” Kroll said.

The July 2021 exploit is said to originate from an IP address (45.129.137(.)232) previously associated with actor Cl0p in connection with an attempt to exploit a weakness in SolarWinds’ Serv-U product at around the same time.

“This is the third time the Cl0p ransomware group has used zero day in a web application for extortion in three years,” security researcher Kevin Beaumont said. “In all three cases, they are products with safety in branding.”

Found this article interesting? Follow us on Twitter ๏‚™ And LinkedIn to read more exclusive content we post.





Source link

Related Articles

Back to top button