Headline
Clop Ransomware Gang Likely Exploiting MOVEit Transfer Vulnerability Since 2021
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software’s MOVEit Transfer application to drop ransomware. "The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software’s MOVEit Transfer application to drop ransomware.
“The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer,” the agencies said.
“Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.”
The prolific cybercrime gang has since issued an ultimatum to several impacted businesses, urging them to get in touch by June 14, 2023, or risk getting all their stolen data published.
Microsoft is tracking the activity under the moniker Lace Tempest (aka Storm-0950), which has also been implicated in the exploitation of a critical security vulnerability in PaperCut servers.
Active since at least February 2019, the adversary has been linked to a wide range of activities in the cybercrime ecosystem, including operating a ransomware-as-a-service (RaaS) and acting as an affiliate for other RaaS schemes.
It has also been observed acting as an initial access broker (IAB) to profit off access to compromised enterprise networks and also as a customer of other IABs, underscoring the interconnected nature of the threat landscape.
Source: Kroll
The abuse of CVE-2023-34362, an SQL injection flaw in MOVEit Transfer, is a sign of the adversary continuously seeking zero-day exploits in internet-facing applications and using them to their advantage in order to extort victims.
It’s worth noting that Cl0p carried out similar mass exploitation attacks on other managed file transfer applications such as Accellion FTA and GoAnywhere MFT over the past year.
Attack surface management firm Censys said it has observed a drop in the number of hosts running exposed MOVEit Transfer instances from over 3,000 hosts to little more than 2,600.
“Several of these hosts are associated with high-profile organizations, including multiple Fortune 500 companies and both state and federal government agencies,” Censys noted, highlighting finance, technology, and healthcare as the sectors with the most exposures.
UPCOMING WEBINAR
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
Join the Session
Kroll, in an analysis shared with The Hacker News, said it identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular flaw in April 2022 and as far back as July 2021.
The finding is particularly significant as it serves to illustrate the attacker’s technical expertise and the planning that has gone into staging the intrusions much before the recent wave of exploitations began.
“Commands during the July 2021 time frame appeared to be run over a longer amount of time, suggesting that testing may have been a manual process at that point before the group created an automated solution that it began testing in April 2022,” Kroll said.
The July 2021 exploitation is said to have originated from an IP address (45.129.137[.]232) that was previously attributed to the Cl0p actor in connection with attempts to exploit flaws in SolarWinds Serv-U product around the same time.
“This is the third time Cl0p ransomware group have used a zero day in webapps for extortion in three years,” security researcher Kevin Beaumont said. “In all three cases they were products with security in the branding.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
SUMMARY The Cl0p ransomware group has recently claimed responsibility for exploiting a critical vulnerability in Cleo’s managed file…
While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.
Palantir Gotham was found to be vulnerable to a bug where under certain circumstances, the frontend could have applied an incorrect classification to a newly created property or link.
The Gotham Cerberus service was found to have a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker with access to Gotham to launch attacks against other users. This vulnerability is resolved in Cerberus 100.230704.0-27-g031dd58 .
The Foundry Magritte plugin rest-source was found to be vulnerable to an an XML external Entity attack (XXE).
Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.
Categories: Threat Intelligence Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. (Read more...) The post Ransomware review: July 2023 appeared first on Malwarebytes Labs.
A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.
A security defect was discovered in Foundry Frontend which enabled users to perform Stored XSS attacks in Slate if Foundry's CSP were to be bypassed. This defect was resolved with the release of Foundry Frontend 6.229.0. The service was rolled out to all affected Foundry instances. No further intervention is required.
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities. The identified SQL injection vulnerability, tagged as CVE-2023-36934, could potentially allow unauthenticated attackers to gain unauthorized
A security defect was identified in Foundry Issues. If a user was added to an issue on a resource that they did not have access to and consequently could not see, they could query Foundry's Notification API and receive metadata about the issue including the RID of the issue, severity, internal UUID of the author, and the user-defined title of the issue.
This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.
These clinics offers pro-bono cybersecurity services — like incident response, general advice and ransomware defense — to community organizations, non-profits and small businesses that normally couldn’t afford to pay a private company for these same services.
The announcement was posted on Twitter via the Rewards for Justice Twitter account, alongside encrypted messaging system options for anyone to get into contact should they have viable information.
The Clop ransomware group has claimed responsibility for exploiting the vulnerability to deploy a previously unseen web shell, LemurLoot.
MOVEit has created a patch to fix the issue and urges customers to take action to protect their environments, as Cl0p attacks continue to mount, including on government targets.
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: Moveit Tags: CVE-2023-34362 Tags: CVE-2023-35036 Tags: Cl0p Progress has released an advisory about yet another MOVEit Transfer vulnerability while new victims of the first one keep emerging. (Read more...) The post MOVEit discloses THIRD critical vulnerability appeared first on Malwarebytes Labs.
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw, which is yet to be assigned a CVE identifier, also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The
The information leak threats are certainly new, but the education and messaging from security evangelists (and even just anyone trying to educate an older or less security-savvy family member) doesn’t change.
By Waqas Ofcom, the UK communications regulator, is the latest victim of the infamous Cl0p extortion gang, who have been exploiting MOVEit vulnerabilities to target high-profile firms. This is a post from HackRead.com Read the original post: UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: MOVEit Tags: Progress Tags: Cl0p Tags: ransomware Tags: CVE-2023-34362 A security audit of the MOVEit code has revealed more SQL injection vulnerabilities, while victims of the first vulnerability are coming to the surface. (Read more...) The post More MOVEit vulnerabilities found while the first one still resonates appeared first on Malwarebytes Labs.
Progress Software, the company behind the MOVEit Transfer application, has released patches to address brand new SQL injection vulnerabilities affecting the file transfer solution that could enable the theft of sensitive information. "Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain
YouTube released a statement that “we will stop removing content that advances false claims that widespread fraud, errors, or glitches occurred in the 2020 and other past US Presidential elections.”
Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: MOVEit Tags: Transfer Tags: CVE-2023-34362 Tags: BBC Tags: Zellis Tags: BA The first victims of the ongoing attacks on vulnerable MOVEit Transfer instances are coming forward. The Cl0p ransomware gang claims it is behind the attacks. (Read more...) The post Cl0p ransomware gang claims first victims of the MOVEit vulnerability appeared first on Malwarebytes Labs.
Microsoft has officially linked the ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application to a threat actor it tracks as Lace Tempest. "Exploitation is often followed by deployment of a web shell with data exfiltration capabilities," the Microsoft Threat Intelligence team said in a series of tweets today. "CVE-2023-34362 allows attackers to
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements. NOTE: this is exploited in the wild in May and June 2023; exploitation of unpatched systems can occur via HTTP or HTTPS.