The zero-day vulnerability attackers have exploited to compromise vulnerable Progress Software’s MOVEit Transfer installations finally has an identification number: CVE-2023-34362.
Based on information shared by Mandiant, Rapid7 and other security researchers, the attackers seem to have opportunistically targeted as many exposed organizations as possible, including US government agencies and banks.
Microsoft is attributing the initial attacks to the Cl0p ransomware group (aka FIN11, or Lace Tempest – according to its new threat actor taxonomy).
Mandiant has also noted similarities between the tactics, techniques, and procedures (TTPs) used by these attackers and those associated with FIN11: the exploitation of zero day vulnerabilities to target file transfer systems and the use of tailored web shells for data theft.
“Mandiant has also observed at least one actor associated with CLOP recently seeking partners to work on SQL injections,” company researchers said. (CVE-2023-34362 is a SQL injection vulnerability that allows unauthorized, remote access to MOVEit Transfer’s database.)
The attackers stole sensitive data
Progress Software released the first version of the security advisory addressing CVE-2023-34362 on May 31, and confirmed that it had been exploited in the wild before that day.
Based on its incident response engagements, Mandiant says that the earliest evidence of exploitation occurred on May 27, 2023, and that in some instances, the attackers began exfiltrating data within minutes.
The company named the webshell Lemurloot.
“The malware authenticates incoming connections via a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, create and insert a particular user, or delete this same user. Data returned to the system interacting with LEMURLOOT is gzip compressed,” Mandiant’s analysts explained, and shared indicators of compromise and YARA rules for detecting the webshell and associated artifacts.
They have also confirmed that in some cases, the attackers made off with large volumes of files and Azure Storage Blob information (including credentials) from the MOVEit Transfer application settings, “suggesting that actors exploiting this vulnerability may be stealing files from Azure in cases where victims are storing appliance data in Azure Blob storage.”
Rapid7 incident responders also confirmed attacks dating back to at least May 27. “Our teams have observed the same webshell name in multiple customer environments, which may indicate automated exploitation,” they noted.
What to do if your organization fell victim?
Every organization that had MOVEit Transfer’s web interface exposed on the internet in the last 30 days should be analyzed the system for evidence of compromise – and is likely to find them.
“Assess what data was stolen and determine your data breach disclosure obligations as quickly as you can,” Mandiant CTO Charles Carmakal advised.
Rapid7’s incident responders have pointed to a simple way to determine which data was exfiltrated by the attackers: users need to consult the MOVEit event logs, “before wiping or restoring the application from an earlier backup.”
“Progress Software’s engineering team told Rapid7 that while event logging is not enabled by default in MOVEit Transfer, it’s common for their customers to enable it post-installation. Therefore, many instances of the MOVEit application may have these records available on the host,” they explained.
Once the investigation is concluded, affected orgs should implement the offered patch/security update or implement mitigations, to prevent subsequent attacks leveraging the same security hole.
Carmakal also noted that Cl0p’s emails are occasionally blocked by spam gateways or ignored by employees, so victim organizations should “consider e-discovery searches and email quarantine reviews.”