Home Security Clop Ransomware Gang Doubtless Conscious of MOVEit Switch Vulnerability Since 2021

Clop Ransomware Gang Doubtless Conscious of MOVEit Switch Vulnerability Since 2021

by crpt os


Jun 08, 2023Ravie LakshmananRansomware / Zero-Day

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have published a joint advisory regarding the active exploitation of a recently disclosed critical flaw in Progress Software’s MOVEit Transfer application to drop ransomware.

“The Cl0p Ransomware Gang, also known as TA505, reportedly began exploiting a previously unknown SQL injection vulnerability in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer,” the agencies said.

“Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases.”

The prolific cybercrime gang has since issued an ultimatum to several impacted businesses, urging them to get in touch by June 14, 2023, or risk getting all their stolen data published.

Cybersecurity

Microsoft is tracking the activity under the moniker Lace Tempest (aka Storm-0950), which has also been implicated in the exploitation of a critical security vulnerability in PaperCut servers.

Active since at least February 2019, the adversary has been linked to a wide range of activities in the cybercrime ecosystem, including operating a ransomware-as-a-service (RaaS) and acting as an affiliate for other RaaS schemes.

It has also been observed acting as an initial access broker (IAB) to profit off access to compromised enterprise networks and also as a customer of other IABs, underscoring the interconnected nature of the threat landscape.

MOVEit Transfer Cl0p Ransomware
Source: Kroll

The abuse of CVE-2023-34362, an SQL injection flaw in MOVEit Transfer, is a sign of the adversary continuously seeking zero-day exploits in internet-facing applications and using them to their advantage in order to extort victims.

It’s worth noting that Cl0p carried out similar mass exploitation attacks on other managed file transfer applications such as Accellion FTA and GoAnywhere MFT over the past year.

MOVEit Transfer Cl0p Ransomware

Attack surface management firm Censys said it has observed a drop in the number of hosts running exposed MOVEit Transfer instances from over 3,000 hosts to little more than 2,600.

“Several of these hosts are associated with high-profile organizations, including multiple Fortune 500 companies and both state and federal government agencies,” Censys noted, highlighting finance, technology, and healthcare as the sectors with the most exposures.

UPCOMING WEBINAR

🔐 Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

Kroll, in an analysis shared with The Hacker News, said it identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular flaw in April 2022 and as far back as July 2021.

The finding is particularly significant as it serves to illustrate the attacker’s technical expertise and the planning that has gone into staging the intrusions much before the recent wave of exploitations began.

MOVEit Transfer Cl0p Ransomware

“Commands during the July 2021 time frame appeared to be run over a longer amount of time, suggesting that testing may have been a manual process at that point before the group created an automated solution that it began testing in April 2022,” Kroll said.

The July 2021 exploitation is said to have originated from an IP address (45.129.137[.]232) that was previously attributed to the Cl0p actor in connection with attempts to exploit flaws in SolarWinds Serv-U product around the same time.

“This is the third time Cl0p ransomware group have used a zero day in webapps for extortion in three years,” security researcher Kevin Beaumont said. “In all three cases they were products with security in the branding.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex