The recent zero-day attack on MOVEit has been connected to a well-known ransomware group, which allegedly took advantage of the vulnerability to steal data from numerous organizations.
The flaw has been identified as CVE-2023-34362 and has been resolved through updates in versions 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).
A bit of history
A security notice was released by Progress on May 31, informing users of MOVEit Transfer about a vulnerability that could lead to escalated privileges and unauthorized access to the system.
Mandiant reported the initial attacks on May 27, but GreyNoise detected scanning activities potentially linked to this flaw as early as March.
In the documented attacks, malicious actors have taken advantage of the vulnerability to deploy a webshell/backdoor, enabling them to pilfer data uploaded by MOVEit Transfer users.
Attribution
Mandiant linked the activities to a new threat cluster called UNC4857, and identified the webshell delivered as LemurLoot.
It observed victims in the U.S., Canada, and India, with instances of data theft occurring shortly after the deployment of the webshell.
Although there are some similarities between UNC4857 and activities associated with FIN11 and Cl0p operations, the firm stated that there is insufficient evidence to draw a definitive conclusion.
In contrast, Microsoft is confident in attributing the attack to the threat actor responsible for the Cl0p ransomware. The tech giant tracks this group as Lace Tempest and has noted overlaps with the activities of FIN11 and TA505.
Cl0p claims attack
The Cl0p ransomware gang claimed that it is behind the MOVEit Transfer data theft attacks. The representative, furthermore, confirmed that they started abusing the flaw on May 27.
The ransomware group declined to disclose the exact count of breached organizations in the MOVEit Transfer attacks. However, it stated that if a ransom was not paid, the victims would be publicly listed on the data leak website.
Additionally, Cl0p corroborated that it has not initiated any extortion efforts against the victims. It is probable that the attackers are utilizing this time to analyze the stolen data and assess its value, strategizing how to effectively leverage it for a ransom demand from the compromised companies.
The bottom line
When investigating compromised machines with MOVEit installed, there are several useful settings to consider. A recommended starting point is to examine the HKEY_LOCAL_MACHINE\SOFTWARE\Standard Networks\siLock registry key. Progress has promptly provided mitigation measures to help prevent the exploitation of this vulnerability by updating MOVEit Transfer to one of the patched versions. If updating to the above patches is not feasible for your organization, it is recommended to disable HTTP(s) traffic to MOVEit Transfer.