Critical Zero-Day Attack on MOVEit Exposed Data

Organizations Beware: Critical Zero-Day Attack on MOVEit Exposed Data

4 Mins Read

PUREVPNNewsOrganizations Beware: Critical Zero-Day Attack on MOVEit Exposed Data

Recently, there has been an attack on MOVEit software, which has been linked to a ransomware group. This group has taken advantage of a vulnerability in the software to steal data from many organizations.

Discussing the details

On May 31, Progress Software informed its customers about a critical flaw in its MOVEit Transfer managed file transfer software. This flaw allows unauthorized individuals to access databases associated with the software by exploiting a SQL injection vulnerability. 

The flaw has been assigned the identifier CVE-2023-34362 and fixed with the release of updated software versions.

Source: NIST

According to National Vulnerability Database: “A significant security flaw has been identified in the MOVEit Transfer web application versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). “

“This vulnerability allows unauthorized attackers to exploit the application’s database through a SQL injection attack. Depending on the database engine utilized (MySQL, Microsoft SQL Server, or Azure SQL), attackers can gain access to sensitive database information, manipulate its structure, and execute SQL statements. It is crucial to note that this exploit has been observed in the wild during May and June 2023, posing a significant risk to unpatched systems. The vulnerability can be exploited via HTTP or HTTPS. It is essential to highlight that all versions preceding the explicitly mentioned ones, including unsupported older versions (e.g., 2020.0 and 2019x), are affected by this vulnerability.”

Carefully woven techniques 

Various cybersecurity firms, including Huntress, Rapid7, TrustedSec, GreyNoise, Mandiant, and Volexity, have encountered attacks exploiting this zero-day vulnerability in MOVEit. Mandiant observed the first attacks on May 27, while GreyNoise noticed scanning activities related to the exposure in March. 

In these attacks, the threat actors have utilized the vulnerability to introduce a web shell/backdoor, enabling them to steal data uploaded by MOVEit Transfer users.

Mandiant has attributed this attack to a new threat cluster named UNC4857 and named “LemurLoot ” to the web shell used. Mandiant has warned that affected organizations may receive ransom emails from attackers shortly.

  • Several POST requests were made to the genuine guestaccess.aspx file before interacting with the LEMURLOOT web shell. This suggests that SQL injection attacks were specifically targeted at that file.
  • Detected instances of LEMURLOOT with filenames like human2.aspx and _human2.aspx, numerous samples of LEMURLOOT with the name human2.aspx have been uploaded to VirusTotal. 
  • LEMURLOOT has been designed to perform specific actions on MOVEit Transfer software systems. 

“It can execute commands to gather information about files and folders, retrieve configuration details, and create or delete a user with a predetermined name. Initial analysis suggests that the primary purpose of the LEMURLOOT web shell is to steal data previously uploaded by users of individual MOVEit Transfer systems.”

Capabilities as a curse

LEMURLOOT can 

  • pilfer Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings. 
  • Attackers exploiting this vulnerability may target files stored in Azure Blob storage if victims have chosen to keep their appliance data there. 

However, it remains to be seen whether the theft is limited to data stored in this manner.

Staging to sustain

  • In many cases, the scanning and exploitation leading to the delivery of LEMURLOOT originated from IP addresses within the 5.252.188.0/22 range. 
  • The interaction with the web shell and subsequent data theft occurred from different systems. 
  • Several hosts used to support these secondary operations hosted Remote Desktop Protocol (RDP) services with certificates. This indicates the potential staging period for this infrastructure.

Source: CyberlinkASP

Do we have the record?

Although similarities have been observed between UNC4857 and previous activities associated with FIN11 and Cl0p operations, Mandiant lacks sufficient evidence to draw a definite conclusion. 

However, Microsoft is confident that the Cl0p ransomware group, which they track as Lace Tempest and link to FIN11 and TA505, is responsible for this attack. This group had previously exploited a vulnerability in Fortra’s GoAnywhere MFT software to steal data from various organizations.

Security researcher Kevin Beaumont, who has been monitoring the attacks, has noted that data has been stolen from several organizations, including financial institutions and US government agencies. Still, in a recent tweet, he said:

Source: Twitter

The stance still needs to be clarified, and there are no other findings to be sure of. In response to the situation, the US Cybersecurity and Infrastructure Security Agency (CISA) has included the CVE-2023-34362 vulnerability in its Known Exploited Vulnerabilities Catalog, urging government agencies to patch it promptly. Rapid7 has also guided determining the extent of data exfiltration from MOVEit environments.

Source: CISA

Retrospectively…

The incidents highlight the evolving nature of cyber threats and the need for continuous vigilance in maintaining robust security measures. Ransomware is evolving in a way that we have not imagined. These groups confidently embrace the responsibility, return the data sometimes and act as if it is their right to exploit privacy for money. 

The only options we all have as a society fighting against cyber crimes are to be proactive and promptly address vulnerabilities, enhance resilience against such attacks and ensure the safety of sensitive information.

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.