Mass Exploitation of Zero-Day Bug in MOVEit File Transfer Underway

  /     /     /  
Publicated : 23/11/2024   Category : security


Mass Exploitation of Zero-Day Bug in MOVEit File Transfer Underway


With shades of the GoAnywhere attacks, a cyber threat actor linked to FIN11 is leveraging a bug in the widely used managed file transfer product to steal data from organizations in multiple countries.



A threat group with likely links to the financially motivated group known as FIN11 and other known adversaries is actively exploiting a critical zero-day vulnerability in Progress Softwares MOVEit Transfer app to steal data from organizations using the managed file transfer technology.
MOVEit Transfer is a managed file transfer app that organizations use to exchange sensitive data and large files both internally and externally. Organizations can deploy the software on-premises, or as infrastructure-as-a-service or as software-as-a-service in the cloud. Progress claims thousands of customers for MOVEit including major names such as Disney, Chase, BlueCross BlueShield, Geico, and Major League Baseball.
Researchers from Googles Mandiant security group who are
tracking the threat
believe the exploit activity may well be a precursor to follow-on ransomware attacks on organizations that have fallen victim so far. A similar pattern played out earlier this year after an attacker exploited a zero-day flaw in Fortas GoAnywhere file transfer software to access customer systems and steal data from them.
The Microsoft Threat Intelligence team meanwhile 
said
 via Twitter today that it has attributed the attack to a baddie it calls Lace Tempest, which is a financially motivated threat and ransomware affiliate that has ties to
not only FIN11
, but
also TA505
,
Evil Corp,
and the 
Cl0p gang
.
An initial investigation into the MOVit Transfer attacks by Mandiant showed that the exploit activity began on May 27, or roughly four days before
Progress disclosed the vulnerability
and issued patches for all affected versions of the software. Mandiant has so far identified victims across multiple industry sectors located in Canada, India, and the US but believes the impact could be much broader.
Following exploitation of the vulnerability, the threat actors are deploying a newly discovered LEMURLOOT Web shell with filenames that masquerade as human.aspx, which is a legitimate component of the MOVEit Transfer software, Mandiant said in a blog post June 2.
The Web shell allows the attackers to issue commands for enumerating files and folders on a system running MOVEit Transfer software, retrieve configuration information, and create or delete a user account. Mandiants initial analysis showed the threat actor is using LEMURLOOT to steal data that MOVEit Transfer users might have previously uploaded. In some instances, data theft has occurred within minutes of the deployment of Web shells, Mandiant said. Further, LEMURLOOT samples on VirusTotal since May 28 suggest that organizations in several other countries including Germany, Italy, and Pakistan are also impacted.
Mandiant is tracking the threat actor as UNC4857 and has described it as a previously unknown group with unknown motivations. But several artifacts from the groups attacks on MOVEit Transfer customers suggest a connection to FIN11, Mandiant said. FIN11 is a group that security researchers have associated with numerous financially motivated attacks on banks, credit unions, retailers, and other organizations since at least 2016.
Progress itself has advised customers to review their MOVEit Transfer environments for suspicious activity during the past 30 days, suggesting the exploit activity may have been going on at least for that long. It has identified the vulnerability (now tracked as
CVE-2023-34362
) as an SQL injection error that affects all versions of its file transfer software. The flaw allows for unauthenticated access to MOVEit Transfers database, the company noted, urging customers to patch the flaw on an emergency basis. The companys advisory included a sequence of mitigation steps that it recommends organizations take before they deploy the patch. 
Greynoise, which collects and analyzes data on Internet noise, says it has observed scanning activity related to MOVEit
going back to March 3
and has recommended that customers should extend the window for their review to at least 90 days.
John Hammond, senior security researcher at Huntress, says his companys investigation of the zero-day vulnerability in MOVEit Transfer suggests it could either be a SQL injection flaw as Progress has indicated, or it could be an unrestricted file upload vulnerability — or both. We dont know the adversarys tooling just yet, Hammond says. While Progress has stated publicly that it is a SQL injection vulnerability, the full details of the attack chain and exploit remain unknown, he says.
The behavior that we see of staging a human2.aspx for this specific operation looks to be an uploaded file used for further persistence and post-exploitation after SQL injection, Hammond says. The SQL injection vulnerability may open the door for this functionality by either bypassing authentication or leaking sensitive database information. But unfortunately, we arent quite sure what or how yet.
Meanwhile, Censys said its search engine and Internet scanning platform had identified 3,803 hosts currently using the MOVEit service. Many of these instances are likely unpatched and therefore vulnerable to attack, Censys said. What is particularly concerning is the diverse range of industries relying on this software, including the financial sector, education (with 27 hosts), and even the US federal and state government (with over 60 hosts),
Censys said in a June 2 blog post
.
The attack on MOVEit follows similar zero-day exploit activity that targeted Fortas
GoAnywhere Managed File Transfer
product in January. In that instance, the attackers leveraged a zero-day remote code execution flaw (
CVE-2023-0669
) in GoAnywhere to create unauthorized user accounts on some customer systems and used those accounts to steal data and install additional malware in the environment.
Shortly after Fortas vulnerability disclosure, the Cl0p ransomware gang said it had
exploited the issue
at over 130 organizations worldwide. Security researchers expect file transfer technologies such as those from MOVEit and GoAnywhere to become increasingly popular targets for ransomware actors looking to pivot away from data encryption attacks to data theft.
File transfer appliances and products from Accellion to GoAnywhere have become a valuable target for cybercriminals, says Satnam Narang, senior staff research engineer at Tenable. This is especially true for
ransomware gangs such as Cl0p
 that have breached hundreds of organizations that rely on managed file transfer services to transfer sensitive data, he notes.
Businesses have come to rely on file transfer solutions over the years, which is why there are several different options available, Narang says. By compromising file transfer solutions, threat actors are able to steal data on tens of hundreds of businesses.
He adds, By targeting individual file transfer instances, adversaries often have an opportunity to access very sensitive information. This proves to be valuable for threat actors, especially ransomware groups, who will threaten to leak the stolen data on the Dark Web.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mass Exploitation of Zero-Day Bug in MOVEit File Transfer Underway