Picus Security Analyzes CL0P Ransomware Exploitation of MOVEit Vulnerability
Picus Security has analyzed CVE-2023-34362, a critical SQL injection vulnerability in MOVEit Transfer exploited by CL0P ransomware. The exploit allows for data exfiltration and remote code execution.
Cybersecurity firm Picus Security has released an analysis of CVE-2023-34362, a critical SQL injection vulnerability affecting Progress Software's MOVEit Transfer application, which has been actively exploited by the CL0P ransomware group. This vulnerability allows attackers to steal sensitive data and execute arbitrary code on compromised systems.
The MOVEit Transfer application is widely used by organizations globally for secure managed file transfers, including government and financial institutions. The vulnerability, first publicly detailed by CISA in June 2023, was actively exploited as early as May 27, 2023. Initial scans indicated over 2,500 MOVEit servers were exposed online, with a significant portion in the United States. Notable organizations, including BBC and British Airways, have been impacted.
Picus Security's research details how CL0P actors leverage the vulnerability to deploy a web shell named LEMURLOOT. This allows them to establish persistence and download sensitive files from victim environments. The LEMURLOOT web shell requires specific authentication headers to execute commands.
CL0P ransomware is known for employing a double extortion strategy, exfiltrating data before encrypting it. The group has previously been linked to large-scale phishing campaigns. The continued exploitation highlights the need for robust security measures and continuous monitoring.
Picus Security offers security validation platforms that allow organizations to simulate attacks like those perpetrated by CL0P ransomware, enabling them to test and enhance their defenses against real-world threats.