The Clop ransomware group has been linked to another attack, this time taking advantage of a zero-day vulnerability in Progress Software’s MoveIt Transfer product. According to research by Microsoft, the vulnerability was first noticed on May 31, at which time patches were not available. Progress advised customers to install mitigations, with updates being released on the same day for all affected versions of the managed file transfer (MFT) product. Despite this, security vendors subsequently reported the potential for widespread exploitation of the flaw. On June 6th, Microsoft associated these attacks with a threat actor they have dubbed “Lace Tempest”, known for its involvement in Clop ransomware operations.
This is not the first time that threat actors have taken advantage of zero-day vulnerabilities. In January, attackers exploited CVE-2023-0669, a zero-day vulnerability in Fortra’s GoAnywhere MFT software, in a series of data theft and extortion attacks. This pattern appears to repeat itself, with Microsoft’s research revealing that the Clop operators are deploying a web shell for data exfiltration purposes following exploitation of the MoveIt Transfer flaw.
Security vendor Censys found over 3,000 instances of MoveIt Transfer that are internet-facing, over 2,800 of which are located in the US, with some being used by state and federal government agencies. Although it is impossible to determine the exact version of the software utilised with scans, it is unlikely that all of these instances have been patched. Various cybersecurity companies confirm that the first evidence of the exploitation of CVE-2023-34362 appeared over Memorial Day weekend, with ransomware gangs known to target organisations over long holiday periods to maximise disruption.
Progress said that its investigation is ongoing, but initially learnt of the flaw following a customer support call on May 28, during which unusual activity within their MoveIt Transfer instance was reported. Following an investigation, the zero-day was identified, and on May 30, Progress reached out to all affected customers, urging them to take immediate mitigation steps. The following day, a public security advisory was issued, though this did not include the information that exploitation activity had been detected in the wild.
A spokesperson for Progress has since said that their customers “have been our top priority” throughout the event. The company promptly launched an investigation, informed customers about the vulnerability, provided mitigation steps, disabled access to MoveIt Cloud to protect Cloud customers, developed a security patch to address the vulnerability, and made it available to MoveIt Transfer customers. The spokesperson added that Progress had “also implemented a series of third-party validations to ensure the patch has corrected the exploit,” but recognised the importance of working with cybersecurity experts to ensure they take the appropriate steps. Authorities have also been alerted to the vulnerability.