Lace Tempest/Clop ransomware gang exploits MOVEit vulnerability CVE-2023-34362

Sicherheit (Pexels, allgemeine Nutzung)[German]The SQL injection vulnerability CVE-2023-34362 in the Managed File Transfer (MFT) solution MOVEit has been known for a few days. This vulnerability has been exploited by attackers for some time and security authorities are now warning about the risks of unpatched systems. Microsoft has now disclosed that the vulnerability is now the focus of the Lace Tempest hacker group, which is active for the Clop ransomware gang.


MOVEit vulnerability CVE-2023-34362

A vulnerability exists in the Managed File Transfer (MFT) solution MOVEit that allows privilege escalation and unauthorized access to the software's environment. CVE-2023-34362 is an SQL injection vulnerability in the MOVEit Transfer web application. This vulnerability could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database.

The vendor of the software, the US-based Progress Software Corporation has published a security advisory on the vulnerability as of May 31, 2023. I had reported on this vulnerability in the blog post Warning: MOVEit vulnerability is abused in attacks, data extradicted. Cyber security agencies around the world are also warning about this vulnerability. Colleagues at Bleeping Computer report here that the U.S. National Security Agency (CISA) has asked U.S. agencies to patch the vulnerability by June 23, 2023.

MOVEit is a managed file transfer (MFT) software that allows files to be transferred between different computers. The software is developed by Ipswitch, a subsidiary of the US company Progress Software Corporation. MOVEit is often used in companies to exchange files between customers or business partners via the Internet. Uploads are supported via the SFTP, SCP and HTTP protocols in order to transfer the files securely.

Microsoft: Lace Tempest/Clop exploit the bug

The vulnerability seems to have been exploited for some time by cybercriminals for stealing information. I just came across this message on Twitter where a SQL database was infected.

MOVEit vulnerability CVE-2023-34362

Addendum: The latest discovery was reported within this tweet. Meanwhile, Microsoft attributes the attacks via the CVE-2023-34362 vulnerability on MOVEit instances to the Lace Tempest hacker group, which is known for ransomware operations and runs the extortion website Clop.


The threat actor has used similar vulnerabilities in the past to steal data and extort victims, Microsoft says. After exploiting the vulnerability, a web shell with data exfiltration capabilities is often installed. CVE-2023-34362 allows attackers to authenticate as an arbitrary user. Lace Tempest (Storm-0950, overlaps with FIN11, TA505) authenticates as the user with the highest privileges to exfiltrate files on victim systems.

Microsoft urges organizations affected by the CVE-2023-34362 vulnerability in MOVEit Transfer to apply security patches and implement the mitigation measures outlined by Progress in their security advisory. The colleagues at Bleeping Computer have also compiled some information here.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *