Associated Families: LemurLoot
Verticals Targeted: Financial, Government
Executive Summary
Industry researchers from multiple vendors observed threat actors leveraging CVE-2023-34362. Microsoft attributed the activity to a Cl0p affiliate dubbed Lace Tempest.
Key Takeaways
- Industry researchers from multiple vendors observed threat actors leveraging CVE-2023-34362.
- CVE-2023-34362 is a critical SQL injection vulnerability affecting Progress Software’s MOVEit Transfer managed file transfer (MFT) software.
- The vulnerability allows an unauthenticated threat actor to access databases associated with MOVEit.
- Microsoft attributed the activity to a Cl0p affiliate dubbed Lace Tempest.
Activity
Industry researchers from multiple vendors observed threat actors leveraging CVE-2023-34362. The activity was first observed in the wild as early as March 2023. Threat actors used the vulnerability to install a webshell/backdoor in order to steal data uploaded via MOVEit Transfer. Mandiant referred to the webshell, written in C#, as LemurLoot. While Mandiant attributed the activity to a new threat cluster, Microsoft attributed the activity to a Cl0p affiliate dubbed Lace Tempest. Researcher Kevin Beaumont observed data being stolen from multiple organizations, including financial and US government entities.
What is CVE-2023-34362?
CVE-2023-34362 is a critical SQL injection vulnerability affecting Progress Software’s MOVEit Transfer managed file transfer (MFT) software. The vulnerability allows an unauthenticated threat actor to access databases associated with MOVEit. MOVEit Cloud was initially affected by the vulnerability, but a backend fix remedied the situation. Progress Software has also issued updates to patch other currently used MOVEit versions. CISA added CVE-2023-34362 to its list of known exploited vulnerabilities.
What is Cl0p?
Cl0p ransomware, in this case, leveraged by affiliate Lace Tempest, is a well-known ransomware as a service (RaaS) family. It is typically used by financially motivated threat actor groups known for ransomware and extortion activities. Both Windows and Linux variants of Cl0p have been observed in the wild.
IOCs
PolySwarm has multiple samples associated with this activity.
A1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7
6cbf38f5f27e6a3eaf32e2ac73ed02898cbb5961566bb445e3c511906e2da1fa
02d9a530964c8b7b8c1ff960ab078f806cb933bda0f2011abc2a25d7e89bc8a9
8fa3cb7a703da1aa49b3ecc80b9172e479dd2a6057a32000b89b0d99272184cc
You can use the following CLI command to search for all associated samples in our portal:
$ polyswarm link list -f CVE-2023-34362
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports