Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations

The recent MOVEit zero-day attack has been linked to a known ransomware group, which reportedly stole data from dozens of organizations.

MOVEit hack impact

The recent MOVEit zero-day attack has been linked to a known ransomware group, which has reportedly exploited the vulnerability to steal data from dozens of organizations.

Progress Software informed customers on May 31 that its MOVEit Transfer managed file transfer (MFT) software is affected by a critical SQL injection vulnerability that can be exploited by an unauthenticated attacker to access databases associated with the product. 

The CVE identifier CVE-2023-34362 has now been assigned to the flaw, which has been patched with the release of versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5) and 2023.0.1 (15.0.1). MOVEit Cloud was also impacted, but a fix has been deployed and users do not need to take any action.

Several cybersecurity firms have reported seeing attacks involving the MOVEit zero-day, including Huntress, Rapid7, TrustedSec, GreyNoise, Mandiant, and Volexity.

Mandiant reported seeing the first attacks on May 27, but threat intelligence firm GreyNoise observed scanning activity possibly related to this flaw in early March. In the observed attacks, threat actors have exploited the vulnerability to deliver a webshell/backdoor that allows them to steal data uploaded by MOVEit Transfer customers.

Mandiant has attributed the attack to UNC4857, a new threat cluster, and named the delivered webshell LemurLoot. The security firm has seen victims in the US, Canada and India, with data theft occurring within minutes of the webshell deployment in some cases. 

“The seemingly opportunistic nature of this campaign and subsequent data theft activity is consistent with activity that we’ve seen from extortion actors, which means victim organizations could potentially receive ransom emails in the coming days to weeks,” Mandiant said.

The company has seen some similarities between UNC4857 and activities previously attributed to the FIN11 and Cl0p operations, but said there was not enough evidence to reach a conclusion.

Advertisement. Scroll to continue reading.

Microsoft, on the other hand, is confident that the threat actor behind the Cl0p ransomware is responsible for the attack. The tech giant tracks the group as Lace Tempest, and points to overlaps with FIN11 and TA505 activity. 

The Cl0p ransomware group previously exploited a vulnerability in Fortra’s GoAnywhere MFT software to steal data from many organizations. 

The Shodan search engine shows roughly 2,500 internet-exposed MOVEit systems, mostly in the United States. The Censys search engine has found more than 3,000 hosts, including in the financial, education and government sectors.  

Security researcher Kevin Beaumont, who has been monitoring the attacks, is aware of data being stolen from a ‘double digit number’ of organizations, including financial companies and US government agencies.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-34362 to its Known Exploited Vulnerabilities Catalog, instructing government agencies to patch it as soon as possible. 

Rapid7 updated its blog post over the weekend to describe a method that can be used to determine what data and how much of it was exfiltrated from the environments of MOVEit customers.

Related: GoAnywhere Zero-Day Attack Hits Major Orgs  

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.