The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Cl0p Reportedly Using MOVEit 0day (CVE-2023-34362)

Jun 16, 2023 2:33:59 PM / by The Hivemind

Cl0pAssociated Families: LemurLoot
Verticals Targeted: Financial, Government

Executive Summary

Industry researchers from multiple vendors observed threat actors leveraging CVE-2023-34362. Microsoft attributed the activity to a Cl0p affiliate dubbed Lace Tempest.

Key Takeaways

  • Industry researchers from multiple vendors observed threat actors leveraging CVE-2023-34362.
  • CVE-2023-34362 is a critical SQL injection vulnerability affecting Progress Software’s MOVEit Transfer managed file transfer (MFT) software. 
  • The vulnerability allows an unauthenticated threat actor to access databases associated with MOVEit. 
  • Microsoft attributed the activity to a Cl0p affiliate dubbed Lace Tempest.

Activity

Industry researchers from multiple vendors observed threat actors leveraging CVE-2023-34362. The activity was first observed in the wild as early as March 2023. Threat actors used the vulnerability to install a webshell/backdoor in order to steal data uploaded via MOVEit Transfer. Mandiant referred to the webshell, written in C#, as LemurLoot. While Mandiant attributed the activity to a new threat cluster, Microsoft attributed the activity to a Cl0p affiliate dubbed Lace Tempest. Researcher Kevin Beaumont observed data being stolen from multiple organizations, including financial and US government entities.

What is CVE-2023-34362?

CVE-2023-34362 is a critical SQL injection vulnerability affecting Progress Software’s MOVEit Transfer managed file transfer (MFT) software. The vulnerability allows an unauthenticated threat actor to access databases associated with MOVEit. MOVEit Cloud was initially affected by the vulnerability, but a backend fix remedied the situation. Progress Software has also issued updates to patch other currently used MOVEit versions. CISA added CVE-2023-34362 to its list of known exploited vulnerabilities.

What is Cl0p?

Cl0p ransomware, in this case, leveraged by affiliate Lace Tempest, is a well-known ransomware as a service (RaaS) family. It is typically used by financially motivated threat actor groups known for ransomware and extortion activities. Both Windows and Linux variants of Cl0p have been observed in the wild.

IOCs

PolySwarm has multiple samples associated with this activity.

 

A1269294254e958e0e58fc0fe887ebbc4201d5c266557f09c3f37542bd6d53d7

6cbf38f5f27e6a3eaf32e2ac73ed02898cbb5961566bb445e3c511906e2da1fa

02d9a530964c8b7b8c1ff960ab078f806cb933bda0f2011abc2a25d7e89bc8a9

8fa3cb7a703da1aa49b3ecc80b9172e479dd2a6057a32000b89b0d99272184cc

 

You can use the following CLI command to search for all associated samples in our portal:

$ polyswarm link list -f CVE-2023-34362

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Microsoft, Cl0p, LemurLoot, CVE-2023-34362, MOVEit

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts