Microsoft has named Lace Tempest as the threat group behind attacks on MOVEit Transfer, a service that handles business-critical file transfers for major banks, credit unions, and federal agencies.
Hackers exploited a flaw, tracked as CVE-2023-34362, to obtain access to the database of MOVEit Transfer, a widely-used secure managed file transfer application.
Microsoft Threat Intelligence said the attack pattern matched that of the Lace Tempest group, also known as FIN11, which runs the Cl0p ransomware-as-a-service (RaaS).
At this stage, the contents of affected databases are unclear as no stolen data has been posted on the dark web.
The hacker group has become known for data theft and extortion through the exploitation of vulnerabilities and deploying ransomware.
Microsoft researchers matched behaviors from the attacks with those from recent Lace Tempest activity, although it has not detailed its specific evidence for attribution.
The group has exploited similar vulnerabilities in past operations, and Mandiant noted both the MOVEit attackers and FIN11 have made use of data exfiltration web shells.
Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims. pic.twitter.com/q73WtGru7jJune 5, 2023
In attacks observed in the wild, attackers exploited the flaw using SQL injection to escalate their privileges, allowing them to gain access to a victim’s MOVEit Transfer database and exfiltrate or alter files.
Thousands of organizations are understood to use MOVEit Transfer in their operations.
MOVEit Transfer was developed by Ipswitch, a subsidiary of Progress Software Corporation, which released a notice on the breach on May 31.
“Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements,” Progress wrote.
Every version of MOVEit Transfer, including MOVEit Cloud, are thought to be affected by the vulnerability. Progress has released patches for each version, but reports of databases that were compromised in the interim are expected to continue in the coming weeks.
Progress has urged customers to delete .cmdline script files and the file ‘human2.aspx’, remove unauthorized accounts, and analyze logs for large file transfers or access to Azure Blob Storage Keys.
It also recommended MOVEit Transfer users change their firewall settings to block HTTP and HTTPS traffic to the application through ports 80 and 443 until such time as the relevant patch has been applied.
Following the public disclosure of the vulnerability, security teams and system admins across the thousands of firms that use MOVEit to transfer sensitive information have been assessing their vulnerability and taking to forums to compare notes.
“Jack Henry uses MOVEit for almost all their automation and sending of files to thousands of clients banks/credit unions/providers multiple times per day,” wrote one user of the sys admins subreddit.
Cyber security researcher Kevin Beaumont tweeted that according to his analysis, several organizations, including some in banking and the US government, have had data stolen through the attacks.
Microsoft are attributing the #moveIT attacks to cl0p ransomware. I’ve been tracking this – there are a double digit number of orgs who had data stolen, that includes multiple US Government and banking orgs. https://t.co/OJF5XnQO9cJune 5, 2023
“MoveIT Transfer is used across the US Government as a recommended solution and all of them were vulnerable (and in many cases still are as many orgs haven’t patched yet),” he wrote.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-34362 to its exploited vulnerabilities list, which compels all federal agencies to apply patches against the flaw by June 23.
Mandiant had previously attributed the attacks to a new threat group it tracked as UNC4857, and predicted that victims were likely to receive ransom emails in coming days.
Researchers noted the similarities between UNC4857 activity and that of FIN11, but did not definitively prove an overlap between the two for lack of evidence.
It found that attacks had been occurring since at least May 27, and identified a web shell dubbed ‘LEMURLOOT’ that the attackers have deployed following exploitation. This is used to download files, generate enumeration commands within MOVEit, pass config data back to attackers, and alter user accounts.
Detection of LEMURLOOT samples on repositories from Germany, Italy, and Pakistan led researchers to suggest that the group has also targeted victims in these countries.
At the time of writing, the vulnerability has not received an official CVSS score.
“The first step for administrators utilizing MFT should be to patch the vulnerability or take the service offline until it can be patched, especially now that it is public knowledge,” Darren Guccione, CEO and co-founder, Keeper Security told ITPro.
“While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations.”
