Microsoft has formally linked ongoing active exploitation of a critical flaw in the Progress Software MOVEit Transfer application with the threat actors it tracks. lace tempest.
โWeb shells with data extraction capabilities are often deployed after exploits,โ said the Microsoft Threat Intelligence team. Said In today’s series of tweets. “CVE-2023-34362 allows attackers to authenticate as arbitrary users.”
Race Tempest, also known as Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. Also known for running the Cl0p extortion site.
The actor also has a track record of exploiting various zero-day flaws to siphon data and extort victims, and recently the group was observed weaponizing critical bugs in the PaperCut servers.
CVE-2023-34362 is related to a SQL injection vulnerability in MOVEit Transfer that allows unauthenticated, remote attackers to access databases and execute arbitrary code.
According to data from attack surface management company Censys, there are believed to be at least 3,000 public hosts using the MOVEit Transfer service.
๐ Mastering API Security: Understanding Your True Attack Surface
Uncover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
Google-owned Mandiant, which tracks this activity under the name UNC4857 and labels the webshell LEMURLOOT, said it had identified extensive tactical ties to FIN11.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog last week, with federal agencies applying a vendor-supplied patch by June 23, 2023. recommended to do so.
This development follows similar zero-day mass exploits against Accellion FTA Server in December 2020 and GoAnywhere MFT in January 2023, and users should patch them as soon as possible to protect against potential risks. has become essential.
