A threat group with likely links to the financially motivated group known as FIN11 and other known adversaries is actively exploiting a critical zero-day vulnerability in Progress Software’s MOVEit Transfer app to steal data from organizations using the managed file transfer technology.
MOVEit Transfer is a managed file transfer app that organizations use to exchange sensitive data and large files both internally and externally. Organizations can deploy the software on-premises, or as infrastructure-as-a-service or as software-as-a-service in the cloud. Progress claims thousands of customers for MOVEit including major names such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.
Researchers from Google’s Mandiant security group who are tracking the threat believe the exploit activity may well be a precursor to follow-on ransomware attacks on organizations that have fallen victim so far. A similar pattern played out earlier this year after an attacker exploited a zero-day flaw in Forta’s GoAnywhere file transfer software to access customer systems and steal data from them.
The Microsoft Threat Intelligence team meanwhile said via Twitter today that it has attributed the attack to a baddie it calls “Lace Tempest,” which is a financially motivated threat and ransomware affiliate that has ties to not only FIN11, but also TA505, Evil Corp, and the Cl0p gang.
Data Theft Happening in Minutes
An initial investigation into the MOVit Transfer attacks by Mandiant showed that the exploit activity began on May 27, or roughly four days before Progress disclosed the vulnerability and issued patches for all affected versions of the software. Mandiant has so far identified victims across multiple industry sectors located in Canada, India, and the US but believes the impact could be much broader.
“Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT Web shell with filenames that masquerade as human.aspx, which is a legitimate component of the MOVEit Transfer software,” Mandiant said in a blog post June 2.
The Web shell allows the attackers to issue commands for enumerating files and folders on a system running MOVEit Transfer software, retrieve configuration information, and create or delete a user account. Mandiant’s initial analysis showed the threat actor is using LEMURLOOT to steal data that MOVEit Transfer users might have previously uploaded. “In some instances, data theft has occurred within minutes of the deployment of Web shells,” Mandiant said. Further, LEMURLOOT samples on VirusTotal since May 28 suggest that organizations in several other countries including Germany, Italy, and Pakistan are also impacted.
Mandiant is tracking the threat actor as UNC4857 and has described it as a previously unknown group with unknown motivations. But several artifacts from the group’s attacks on MOVEit Transfer customers suggest a connection to FIN11, Mandiant said. FIN11 is a group that security researchers have associated with numerous financially motivated attacks on banks, credit unions, retailers, and other organizations since at least 2016.
Days & Likely Weeks of Exploit Activity
Progress itself has advised customers to review their MOVEit Transfer environments for suspicious activity during the past 30 days, suggesting the exploit activity may have been going on at least for that long. It has identified the vulnerability (now tracked as CVE-2023-34362) as an SQL injection error that affects all versions of its file transfer software. The flaw allows for unauthenticated access to MOVEit Transfer’s database, the company noted, urging customers to patch the flaw on an emergency basis. The company’s advisory included a sequence of mitigation steps that it recommends organizations take before they deploy the patch.
Greynoise, which collects and analyzes data on Internet noise, says it has observed scanning activity related to MOVEit going back to March 3 and has recommended that customers should extend the window for their review to at least 90 days.
John Hammond, senior security researcher at Huntress, says his company’s investigation of the zero-day vulnerability in MOVEit Transfer suggests it could either be a SQL injection flaw as Progress has indicated, or it could be an unrestricted file upload vulnerability — or both. “We don’t know the adversary’s tooling just yet,” Hammond says. While Progress has stated publicly that it is a SQL injection vulnerability, the full details of the attack chain and exploit remain unknown, he says.
“The behavior that we see of staging a human2.aspx for this specific operation looks to be an uploaded file used for further persistence and post-exploitation after SQL injection,” Hammond says. “The SQL injection vulnerability may open the door for this functionality by either bypassing authentication or leaking sensitive database information. But unfortunately, we aren’t quite sure what or how yet.”
Thousands of Potentially Vulnerable Hosts
Meanwhile, Censys said it’s search engine and Internet scanning platform had identified 3,803 hosts currently using the MOVEit service. Many of these instances are likely unpatched and therefore vulnerable to attack, Censys said. “What is particularly concerning is the diverse range of industries relying on this software, including the financial sector, education (with 27 hosts), and even the US federal and state government (with over 60 hosts),” Censys said in a June 2 blog post.
The attack on MOVEit follows similar zero-day exploit activity that targeted Forta’s GoAnywhere Managed File Transfer product in January. In that instance, the attackers leveraged a zero-day remote code execution flaw (CVE-2023-0669) in GoAnywhere to create unauthorized user accounts on some customer systems and used those accounts to steal data and install additional malware in the environment.
Shortly after Forta’s vulnerability disclosure, the Cl0p ransomware gang said it had exploited the issue at over 130 organizations worldwide. Security researchers expect file transfer technologies such as those from MOVEit and GoAnywhere to become increasingly popular targets for ransomware actors looking to pivot away from data encryption attacks to data theft.
File transfer appliances and products from Accellion to GoAnywhere have become a valuable target for cybercriminals, says Satnam Narang, senior staff research engineer at Tenable. This is especially true for ransomware gangs such as Cl0p that have breached hundreds of organizations that rely on managed file transfer services to transfer sensitive data, he notes.
“Businesses have come to rely on file transfer solutions over the years, which is why there are several different options available,” Narang says. “By compromising file transfer solutions, threat actors are able to steal data on tens of hundreds of businesses.”
He adds, “By targeting individual file transfer instances, adversaries often have an opportunity to access very sensitive information. This proves to be valuable for threat actors, especially ransomware groups, who will threaten to leak the stolen data on the Dark Web.”