Zero-Day Exploit in MOVEit Transfer app Exposes Data Theft Risk
A financially motivated group with links to other known adversaries is actively exploiting a critical zero-day vulnerability in Progress Software’s MOVEit Transfer app to steal data from organisations that use the managed file transfer technology. According to an advisory from Progress, MOVEit Transfer is a popular managed file transfer app that organisations use to exchange large files and sensitive data internally and externally. Thousands of customers use it worldwide, including some major names such as Blue Cross Blue Shield, Geico, Disney, Chase, and Major League Baseball.
Details of the Threat
Google’s Mandiant security group reports that the exploit activity connected to the zero-day vulnerability began on May 27. However, Progress only issued patches for all affected versions of the software, and disclosed the vulnerability four days later. Researchers from Google’s Mandiant security group believe that this exploit activity might be a precursor to a follow-up ransomware attack on organisations that have fallen victim so far.
The Microsoft Threat Intelligence team, on the other hand, has attributed the attack to a financially motivated group it calls “Lace Tempest.” This group has ties to not only FIN11, but also TA505, Evil Corp, and the Cl0p gang.
The Vulnerability and Attack Methodology
The vulnerability (CVE-2023-34362) implements an SQL injection error on all versions of Progress’s MOVEit transfer software. The flaw allows for unauthenticated access to the software’s database. Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT webshell with filenames that disguise the component of the software as “human.aspx,” which is legitimate.
This webshell allows the attackers to issue commands for enumeration of files and folders on a system running MOVEit Transfer software, retrieve configuration information, and create or delete user accounts. Mandiant’s initial analysis shows that the threat actor is using LEMURLOOT to steal data previously uploaded by MOVEit Transfer users.
Further, LEMURLOOT samples suggest that several countries, including Germany, Italy, and Pakistan, might be affected. Mandiant is tracking the threat actor as UNC4857 and describes it as a previously unknown and unattributed group but believes it is linked to FIN11. Many instances of MOVEit Transfer-hosted systems are vulnerable due to an incorrectly implemented patching process, making it easier for the hackers to perform SQL injections.
Risk to Data
The impact of the exploit could have significant consequences beyond the sectors across multiple industries identified by Mandiant, located in the US, Canada, and India. Some data theft has occurred within minutes of deploying the webshells.
Experts argue that file transfer technologies such as those from Progress’s MOVEit and Forta’s GoAnywhere will become an increasingly popular target for ransomware actors looking to pivot from data encryption attacks to data theft. Hackers compromise file transfer solutions to steal data from tens to hundreds of businesses, making it a profitable venture for them. By targeting individual file transfer instances, adversaries often have an opportunity to access very sensitive information. This data proves to be valuable for threat actors, especially ransomware groups threatening to leak the stolen data on the Dark Web.
Recommendations
Organisations using Progress’s MOVEit Transfer app need to seriously consider implementing the patches provided by Progress and monitoring their server systems for any unusual activities, such as the deployments of any LEMURLOOT webshells. The current exploits call attention to the importance of proactively identifying vulnerabilities in third-party components and ensuring their timely patching and config controls.
It is also crucial to implement security controls, regularly review the network environment for unknown aberrations, and create a secure backup disaster recovery plan.
In conclusion, this attack highlights the growing risk of a zero-day attack to the software development sector and the need for software vendors to improve their quality and security testing. Organisations must also be proactive in identifying, mitigating, and swiftly patching their software vulnerabilities.
<< photo by Saksham Choudhary >>
You might want to read !
- Why Microsoft Made SMB Signing Default in Windows 11: Prioritizing Security for SMBs
- “Exploring the Value of Twitter Threat Intelligence for Enterprise Cybersecurity”
- Data Security: How Varonis is Improving Insider Threat Reduction
- Enzo Biochem Data Leak: The Alarming Consequences of Ransomware Attacks.
- The Security of Space: Hackers Target SpaceX’s latest Satellite in DEF CON
- The Vulnerability Exploited in MOVEit File Transfer Software: Analyzing the Impact on Organizations.
- “Why Cybersecurity Vulnerabilities Require Urgent Attention: A Call to Action for Zyxel Customers to Patch Firewalls Now”
- Exploring the Dark Side of Cyber Attacks: The MOVEit Exploit and Ransomware Group Targeting Organizations
- The World of Cyber Espionage: Government Spyware, Industrial Security Tools and Japan Router Hack.
