Cybercrime Ransomware Group Steal Data From Dozens of Organizations Through MOVEit Exploit
Background
A known ransomware group has been connected to the recent MOVEit Transfer zero-day attack, which allowed the group to steal data from dozens of organizations. Progress Software had informed customers on May 31st about the critical SQL injection vulnerability that affected its managed file transfer (MFT) software, allowing unauthenticated attackers to access the product’s databases. Cybersecurity firms such as Rapid7, Huntress, GreyNoise, and Volexity, among others, have reportedly observed related attacks on the vulnerability.
The Attack
The vulnerability allowed the hackers to deliver a webshell/backdoor to the affected systems that enabled stealing of data uploaded by MOVEit Transfer customers. Mandiant, a security firm, attributes the attack to UNC4857, a new threat cluster, and refers to the delivered webshell as LemurLoot. The victim organizations, mostly located in the US, Canada, and India, reportedly had suffered from data theft within minutes of the deployment of the webshell.
The Attribution and Implications
Microsoft attributes the Cl0p ransomware group as the perpetrator behind the attack. The firm tracks the group as Lace Tempest and points out overlaps with FIN11 and TA505 operations. However, Mandiant reported some similarities between the presented UNC4857 and the previously assigned FIN11 and Cl0p operations but did not possess enough evidence to draw a conclusion. The nature of the potentially opportunistic attack may lead to victim organizations receiving ransom emails in the following days or weeks, according to Mandiant. The occurrence of this incident following the Fortra’s GoAnywhere MFT software attack by the Cl0p group last year indicates the persistence of ransomware groups to exploit software vulnerabilities, which further highlights the need for securing software applications.
The Way Forward
The US Cybersecurity and Infrastructure Security Agency (CISA) has recommended government agencies to patch CVE-2023-34362, the identifier assigned to the flaw by June 10th, 2023. Rapid7 has even updated its blog post to specify a methodology that can be employed by MOVEit users to determine what data and how much of it has been stolen from their environment. The incident highlights the necessity of patching software, maintaining cybersecurity hygiene, and frequently monitoring network activity to prevent exploitation by cybercriminals. Organizations need to develop robust cybersecurity measures and adhere to safe computer practices to protect against the evolving tactics of some of the most sophisticated cyber-criminals.
Author’s Opinion
As software vulnerabilities persist amidst an increasingly digital world, government agencies and companies will continue to be at risk of cyberattacks exploiting them. Hence, it becomes imperative for companies to maintain proper cybersecurity hygiene and engage in regular maintenance of their software. While this may entail additional expenses in the short term, it can lead to substantial benefits in the longer term through the prevention of costly cyberattacks. Moreover, given the potentially transformative nature of cybersecurity measures in the digital age, prudent investments in this area can strengthen the resilience of numerous critical infrastructure systems against cyber vulnerabilities.
<< photo by Petter Lagson >>
You might want to read !
- The Rise of LOLBaS and CMD Scripts in Brazil’s Cybercriminal Underground
- Is Big Tech Finally Being Held Accountable? Inside the Implications of the FTC’s $30.8M Fine on Amazon for Privacy Violations Involving Alexa and Ring
- “PostalFurious” Campaign: UAE Citizens Receive SMS Attacks Aimed at Data Theft
- The Risks and Implications of Web Skimmer Attack Targeting Magento, WooCommerce, WordPress, and Shopify Websites
- The Rise of TrueBot: Unveiling the Alarming Surge in Activity via New Delivery Vectors
- “May 2023 Sees Surge in Cybersecurity M&A Deals: Insights and Analysis”
- The World of Cyber Espionage: Government Spyware, Industrial Security Tools and Japan Router Hack.