Exploring the Dark Side of Cyber Attacks: The MOVEit Exploit and Ransomware Group Targeting Organizations

Cybercrime Ransomware Group Steal Data From Dozens of Organizations Through MOVEit Exploit

Background

A known ransomware group has been connected to the recent MOVEit Transfer zero-day attack, which allowed the group to steal data from dozens of organizations. Progress Software had informed customers on May 31st about the critical SQL injection vulnerability that affected its managed file transfer (MFT) software, allowing unauthenticated attackers to access the product’s databases. Cybersecurity firms such as Rapid7, Huntress, GreyNoise, and Volexity, among others, have reportedly observed related attacks on the vulnerability.

The Attack

The vulnerability allowed the hackers to deliver a webshell/backdoor to the affected systems that enabled stealing of data uploaded by MOVEit Transfer customers. Mandiant, a security firm, attributes the attack to UNC4857, a new threat cluster, and refers to the delivered webshell as LemurLoot. The victim organizations, mostly located in the US, Canada, and India, reportedly had suffered from data theft within minutes of the deployment of the webshell.

The Attribution and Implications

Microsoft attributes the Cl0p ransomware group as the perpetrator behind the attack. The firm tracks the group as Lace Tempest and points out overlaps with FIN11 and TA505 operations. However, Mandiant reported some similarities between the presented UNC4857 and the previously assigned FIN11 and Cl0p operations but did not possess enough evidence to draw a conclusion. The nature of the potentially opportunistic attack may lead to victim organizations receiving ransom emails in the following days or weeks, according to Mandiant. The occurrence of this incident following the Fortra’s GoAnywhere MFT software attack by the Cl0p group last year indicates the persistence of ransomware groups to exploit software vulnerabilities, which further highlights the need for securing software applications.

The Way Forward

The US Cybersecurity and Infrastructure Security Agency (CISA) has recommended government agencies to patch CVE-2023-34362, the identifier assigned to the flaw by June 10th, 2023. Rapid7 has even updated its blog post to specify a methodology that can be employed by MOVEit users to determine what data and how much of it has been stolen from their environment. The incident highlights the necessity of patching software, maintaining cybersecurity hygiene, and frequently monitoring network activity to prevent exploitation by cybercriminals. Organizations need to develop robust cybersecurity measures and adhere to safe computer practices to protect against the evolving tactics of some of the most sophisticated cyber-criminals.

Author’s Opinion

As software vulnerabilities persist amidst an increasingly digital world, government agencies and companies will continue to be at risk of cyberattacks exploiting them. Hence, it becomes imperative for companies to maintain proper cybersecurity hygiene and engage in regular maintenance of their software. While this may entail additional expenses in the short term, it can lead to substantial benefits in the longer term through the prevention of costly cyberattacks. Moreover, given the potentially transformative nature of cybersecurity measures in the digital age, prudent investments in this area can strengthen the resilience of numerous critical infrastructure systems against cyber vulnerabilities.