Microsoft Threat Intelligence attributed attacks exploiting a critical zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer app to Lace Tempest, an advanced persistent threat group known for ransomware operations and for running the Clop extortion site.
In a Tweet Sunday night, the Clop ransomware variant was tied to the exploitation of MOVEit zero-day, Microsoft said the threat actor used similar vulnerabilities in the past to steal data and extort victims.
Progress Software disclosed the SQL injection vulnerability on May 31. Since then, researchers from Huntress to Mandiant to security researcher Kevin Beaumont have commented on the vulnerability — CVE-2023-34362 — imploring security teams to patch.
Researchers say the vulnerability could lead to escalated privileges and potential unauthorized access to millions of IT environments. The zero-day has already impacted Nova Scotia's government and British Airways employees, among others.
Charles Carmakal, CTO at Mandiant Consulting at Google Cloud, underscored that it’s critical for victim organizations to prepare for potential extortion, publication of stolen data, and victim shaming.
“We expect the threat actor will soon reach out to victims with extortion demands,” said Carmakal. “In prior threat campaigns, it took FIN11 (Mandiant's name for Lace Tempest) several weeks to work their way through the list of their victims."
Meanwhile, Carmakal advised security teams to watch out for scammers. Carmakal said some of Mandiant’s clients that were impacted by the MOVEit exploitation received extortion emails over the weekend.
“The extortion emails were unrelated to the MOVEit exploitation and were just scams, but organizations could easily confuse them as being authentic,” explained Carmakal.
John Hammond, senior security researcher at Huntress, added that most threat intelligence analysts in the industry also concluded that Clop was behind the MOVEit exploitation since, as the target of a file transfer application, was similar to Clop's recent GoAnywhere MFT attack.
Hammond said Huntress recreated the attack chain for the CVE-2023-34362 MOVEit exploitation, and to date has not observed any new artifacts or indicators of compromise that are not already publicly known.
“Progress has provided an update on their steps to respond to this incident, but have not yet provided any further technical details, such as known exfiltration IP addresses or malicious domains,” said Hammond. “Unfortunately, it seems more and more organization are slowly coming out of the woodwork to express they have been compromised from this threat.”
John Bambenek, principal threat Hunter at Netenrich, said data exfiltration has become the last step in modern ransomware before holding an organization hostage. He said the zero-day in this case lets an attacker exploit a variety of targets and start stealing data immediately, which makes the time to respond much shorter.
“This group is clearly thinking about how we as defenders respond so that they can be in and achieving their objectives before our tools even have a chance to detect them,” said Bambenek.