Microsoft has linked the Clop ransomware gang to a recent attack that uses a zero-day vulnerability in the MOVEit Transfer platform to steal data from organizations. The company’s Threat Intel team names Lace Tempest cybercrime gang as a key suspect in these attacks.
Who are Lace Tempest hackers?
Microsoft is attributing attacks that exploit the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to the Lace Tempest cybercriminal group known for its ransomware and running the Clop leak site. “Lace Tempest” is the new name, according to Microsoft’s updated classification, for the grouping, better known as TA505, FIN11, or DEV-0950. Attackers have used similar vulnerabilities in the past to steal data and extort victims.
What is MOVEit MFT 0-day Vulnerability?
MOVEit Transfer is a Managed File Transfer (MFT) solution that allows enterprises to securely transfer files between business partners and customers using SFTP, SCP, and HTTP based downloads. It is believed that the attack that were using this breach began on May 27, during the long Memorial Day holiday in the United States. The same day, numerous organizations reported data leaks.
At the end of last week, Progress Software developers warned about the discovery of a critical vulnerability in MOVEit Transfer. According to them, exploitation of this vulnerability could lead to privilege escalation and give third parties unauthorized access to the MOVEit Transfer environment. Attackers used the MOVEit zero-day vulnerability to remove specially crafted web shells on servers, allowing them to extract a list of files stored on the server, upload files, and steal credentials/secrets for configured Azure blob storage containers.
While it was unclear at the time who was behind the attacks, it was widely believed that the Clop ransomware was responsible for the attack due to similarities to previous attacks carried out by the group. After all, this group carried out two of the largest cyberattacks in the history of MFT platforms.
The first occurred in 2020, when Clop exploited the Accellion FTA zero-day vulnerability. The second happened in January of this year, also due to a zero-day vulnerability, but already in the Fortra GoAnywhere MFT. As a result of both attacks, Clop hackers took over the data of hundreds of organizations. We also wrote that FIN7 Hack Group Resumed Activity, Linked to Clop Ransomware and other media indicated that Clop ransomware operators leaked data from two universities.
What then?
At present, the extortion stage has not yet begun, and the victims have not yet received ransom demands. However, it is known that the Clop gang, if Microsoft has not mistaken in their judgments, waits several weeks after the theft. Perhaps hackers structure the stolen data and determine its value. And only when they are ready, they will send their demands to the heads of the affected companies by e-mail. fter the attack on GoAnywhere, it took a little over a month before the hackers published a list of victims on their leak site. This time, it is likely that you also need to wait a bit.
As a workaround, all clients are advised to block external traffic on ports 80 and 443 on the MOVEit Transfer server as soon as possible. At the same time, the developers warned that blocking these ports would prohibit external access to the web interface, interfere with some aspects of automation, block the API, and prevent the Outlook MOVEit Transfer plugin from working.