The Month of MOVEit

In early June, a critical zero-day exploit (CVE-2023-34362) affecting MOVEit file transfer software was reported to be actively exploited by Russian based threat group, Lace Tempest, a group known for both ransomware and the running of the Cl0p extortion site. Since the publication of the vulnerability, further flaws have also been detected.

News of this compromise caused concerns throughout the cyber community as successful exploitation of a data sharing system like MOVEit would almost certainly result in the loss of significant quantities of sensitive data, which could lead to financial loss, legal action, and as a catalyst for further compromise.

Lace Tempest

Lace Tempest (also known as DEV-0950, FIN11 and TA505) is the Microsoft threat actor designation for the group and has been actively tracked since October 2022. The group implements numerous malware payloads to compromise their targets, including Raspberry Robin, Cobalt Strike and Cl0p ransomware. Lace Tempest target a wide range of organisations within various industry sectors and are assessed to be motivated by financial gain.

Soon after the discovery of the MOVEit zero-day, the group claimed responsibility for its active exploitation. Due to Lace Tempest’s affiliation to the Cl0p ransomware site and their financial motivations, it quickly became apparent that any stolen data would highly likely be published online for all to see if the inevitable ransom demand went unchallenged.

Lace Tempest typically apply the phishing attack vector to gain initial access to target environments. However, they have recently pivoted to the MOVEit file transfer vulnerability for initial access and to deliver payloads of Cl0p ransomware to existing infections to enhance their attack campaigns to achieve their objectives more efficiently. The threat group have also exploited other recently disclosed critical vulnerabilities such as the PaperCut multifunction exploit (CVE-2023-27350) and will almost certainly leverage further vulnerabilities throughout 2023 and beyond.

Threat Hunting

To counter the threat posed by the critical vulnerability, a continuing stream of patches has been released by Progress Software, the owners of MOVEit. These patches safeguard users from further attacks but do not erase any attack that may have occurred prior to patching. Therefore, the Quorum Cyber Threat Intelligence team have conducted multiple rounds of proactive threat hunting using the latest available Indicators of Compromise to discover if compromise has been achieved.

Victim Monitoring

Like most hacks involving stolen data and the threat of releasing it, Lace Tempest has been releasing batches of customer names and their associated data on their dark web site, CL0P^_-LEAKS. The process of naming victims begun on 14th June and will highly likely continue over the coming weeks due to the large volume of suspected victims and as negotiations unfold.

The Quorum Cyber Threat Intelligence team is monitoring this site and will raise an alert should customers be named.

Looking ahead

The situation is still unfolding with new flaws in the software being revealed and patched over the course of the month. To remain up to date with the latest MOVEit news we recommend that you follow our latest intelligence bulletins found on our website.