Microsoft Links Active Exploitation Of MOVEit Transfer App To Lace Tempest Hackers

Posted on June 5, 2023 at 6:35 PM

Microsoft Links Active Exploitation Of MOVEit Transfer App To Lace Tempest Hackers

Tech giant Microsoft has attributed the ongoing active exploitation of a critical vulnerability on the MOVEit transfer app to a threat actor group tracked as Lace Tempest. Lace Tempest is a hacking group that is also known as Storm-0950.

Microsoft says Lace Tempest hackers are behind MOVEit exploit

The Microsoft Threat Intelligence team released a statement on this exploit in a Twitter thread, saying that the exploitation is usually followed by the deployment of a web shell that contains data exfiltration features. Microsoft said that the flaw in question allows a threat actor to identify as any user.

“Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day7 vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims,” Microsoft tweeted.

Lace Tempest is a threat actor group that is also known as Storm-0950. This group operates as a ransomware affiliate, and it usually overlaps with other groups, including Evil Corp, FIN11 and TA505. The group is also believed to be the operator behind an extortion site known as Cl0p.

This threat actor group has a reputation for exploiting different zero-day vulnerabilities, after which it extracts data from the victims before extorting them. This threat actor group was recently observed weaponizing a severe flaw within PaperCut servers.

The vulnerability tracked as CVE-2023-34362 is related to an SQL injection vulnerability within the MOVEit Transfer application. This flaw allows attackers to gain remote and unauthorized access to the application database, after which they will execute the arbitrary code.

It is believed that there are at least more than 3,000 exposed bots that use the MOVEit Transfer service. This is according to data shared by an attack surface management company known as Censys.

The activity of this threat actor group is being tracked by Mandiant. The firm is tracking this activity under the moniker UNC4857 that has been labeled with the web shell known as LEMURLOOT. The threat actor group said that it had detected a wide range of tactical connections made with FIN11.

A statement released by the US Cybersecurity and Infrastructure Agency (CISA) last week said that the vulnerability in question exists under the Known Exploited Vulnerabilities (KEV) catalog. The agency has also recommended that federal agencies apply the vendor-provided patches by June 23, 2023.

The exploit on this transfer app comes after another zero-day mass exploitation was also reported on Accellion FTA servers in December 2020. A similar exploit also happened on GoAnywhere MFT in January 2023. Given the growing risk of these attacks, it is imperative that users deploy patches as soon as possible to mitigate any potential risks.

Exploit on the MOVEit Transfer app claims many victims

The first victims of the exploit of a critical flaw on the MOVEit transfer app started to come forward over the weekend. One of these victims is Zellis, a human resources software maker and payroll provider located in the UK. The company released a statement saying that the MOVEit file transfer system was compromised and that the incident had affected several corporate customers.

One of the affected corporate customers is British Airways. The airline giant noted that this breach had affected the payroll data of all its employees based in the UK. A spokesperson from the company also said that it had notified the employees whose personal information was affected by the breach, adding it would provide them with advice and support.

The incident also affected the UK media company BBC. The media giant confirmed that it was affected by the incident at Zellis. A spokesperson from the company said that they were investigating the full extent of the breach, adding that it maintained robust data security and it followed the established reporting guidelines.

The government of Nova Scotia also uses the MOVEit app to transfer files across departments. It released a statement saying that the personal data of some customers might have been compromised because of this breach. The government said that it had taken the affected system offline and it was working to determine the type of information that was stolen and the number of people that were affected.

It is likely that the number of victims affected by the vulnerability of the Nova Scotia app will continue to increase in the coming days. According to Microsoft, once these hackers have gained initial access, it is followed by data exfiltration.

Summary
Microsoft Links Active Exploitation Of MOVEit Transfer App To Lace Tempest Hackers
Article Name
Microsoft Links Active Exploitation Of MOVEit Transfer App To Lace Tempest Hackers
Description
Microsoft has attributed the breach on the MOVEit transfer app to Lace Tempest hackers. The hacking group is also known as Storm-0950. This exploit has claimed several victims already.
Author
Publisher Name
Koddos
Publisher Logo

Share this:

Related Stories:

Newsletter

Get the latest stories straight
into your inbox!

YOUTUBE

Discover more from KoDDoS Blog

Subscribe now to keep reading and get access to the full archive.

Continue reading