A newly discovered threat campaign has been observed exploiting the recently uncovered, critical-severity MOVEit Transfer vulnerability in order to launch data extortion attacks against organizations in the U.S., Canada and India.
Researchers said they recently observed the threat actors associated with the threat cluster (UNC4857) exploiting the SQL injection flaw (CVE-2023-34362) in order to deploy a new web shell called LEMURLOOT on vulnerable systems, with the end goal of stealing data from victims.
“The seemingly opportunistic nature of this campaign and subsequent data theft activity is consistent with activity that we’ve seen from extortion actors, which means victim organizations could potentially receive ransom emails in the coming days to weeks,” said Mandiant researchers in a Friday analysis.
The new details on attacks come as a number of MOVEit Transfer flaw cyberattack victims come forward. On Monday, payroll firm Zellis said that a "small number" of its customers were impacted by exploits of the MOVEit Transfer bug. Other firms have come forward, including the BBC, which on Monday reported that data stolen included staff ID numbers, dates of birth, home addresses and national insurance numbers.
Researchers found several LEMURLOOT filenames disguised as MOVEit Transfer’s legitimate human.aspx component, revealing that the web shell is tailored to interact with the platform. For instance, various LEMURLOOT samples called human2.aspx were uploaded to VirusTotal (as well as public repositories from other countries, like Italy, Pakistan and Germany) on May 28.
The web shell’s functionality also appears to be tailored to the MOVEit Transfer platform. LEMURLOOT has capabilities to authenticate incoming connections (via a hard-coded password), enumerate and download files and folders, retrieve configuration information, and create or delete a particular user with a hard-coded name. Researchers believe the web shell is being used to steal data, with attackers in multiple cases stealing large volumes of files from targeted MOVEit Transfer systems.
“LEMURLOOT can also steal Azure Storage Blob information, including credentials, from the MOVEit Transfer application settings, suggesting that actors exploiting this vulnerability may be stealing files from Azure in cases where victims are storing appliance data in Azure Blob storage, although it is unclear if theft is limited to data stored in this way,” said researchers.
UNC4857 does not have solid overlaps with other threat clusters, said Mandiant researchers on Friday. However, researchers said that broad similarities exist in the tactics used by UNC4857 and the FIN11 group, known for deploying the Clop ransomware and targeting organizations in the financial, retail and hospitality sectors. Both groups have exploited file transfer system zero-day flaws in order to deploy web shells to steal data, for instance, with FIN11 in 2021 targeting zero-day flaws in Accellion's file transfer appliance (FTA) to steal data from dozens of organizations.
Mandiant researchers also said they have also observed actors associated with Clop seeking partners to work on SQL injections.
“However, we currently have insufficient evidence to determine if there is a relationship between UNC4857 and FIN11,” said researchers. “Ongoing analysis of emerging activity may provide additional insights.”
On Sunday, Microsoft also attributed attacks targeting CVE-2023-34362 to a Clop ransomware affiliate that they call Lace Tempest, which it said has overlaps with FIN11 and TA505 and has been known to exploit zero-day flaws in order to launch data extortion attacks. Microsoft researchers, which have been partnering with MOVEit Transfer software maker Progress, said they observed the attackers leveraging the flaw to deploy a web shell in order to authenticate as a user with the highest privileges and exfiltrate files.
Details around exploitation of CVE-2023-34362 disclosed May 31 continue to be uncovered, and researchers said they have found about 2,500 vulnerable instances of MOVEit Transfer exposed to the Internet, mostly in the U.S. Mandiant said it first saw exploit activity on May 27, and GreyNoise researchers saw scanning for the MOVEit Transfer logging page as early as March 3. Progress said it has made updates available for all affected versions that fix the vulnerability. Organizations should apply these patches, and Progress also recommends that impacted businesses immediately disable all HTTP and HTTPS traffic to the application.
Many times during data extortion attacks, ransomware actors don’t immediately reach out to victim organizations in order to remain undetected on the impacted systems. Because of this, researchers warn that more victims will be discovered in the coming weeks.
“Mandiant routinely observes threat actors with varying motivations targeting sensitive data,” said Mandiant researchers. “For example, state-sponsored threat actors have demonstrated ongoing interest in targeting entities with policy research, military and government files, intellectual property, and personally identifiable information. Cyber criminals can also directly monetize stolen data via extortion operations, post it for sale on underground forums, or leverage it in secondary operations such as business email compromise.”