Security News > 2023 > June > MOVEit Transfer zero-day was exploited by Cl0p gang (CVE-2023-34362)

The zero-day vulnerability attackers have exploited to compromise vulnerable Progress Software's MOVEit Transfer installations finally has an identification number: CVE-2023-34362.

Microsoft is attributing the initial attacks to the Cl0p ransomware group.

Mandiant has also noted similarities between the tactics, techniques, and procedures used by these attackers and those associated with FIN11: the exploitation of zero day vulnerabilities to target file transfer systems and the use of tailored web shells for data theft.

"The malware authenticates incoming connections via a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, create and insert a particular user, or delete this same user. Data returned to the system interacting with LEMURLOOT is gzip compressed," Mandiant's analysts explained, and shared indicators of compromise and YARA rules for detecting the webshell and associated artifacts.

Rapid7's incident responders have pointed to a simple way to determine which data was exfiltrated by the attackers: users need to consult the MOVEit event logs, "Before wiping or restoring the application from an earlier backup."

"Progress Software's engineering team told Rapid7 that while event logging is not enabled by default in MOVEit Transfer, it's common for their customers to enable it post-installation. Therefore, many instances of the MOVEit application may have these records available on the host," they explained.

News URL

https://www.helpnetsecurity.com/2023/06/05/cve-2023-34362-exploited/