October 3, 2023

Microsoft attributes the MOVEit Vulnerability exploitation campaign to the Cl0p ransomware outfit, which it calls Lace Tempest. That makes this merely the latest in a string of very similar cyberattacks against various file-transfer services by the gang.

Ever since June 1, when Progress Software announced a zero-day vulnerability in its MOVEit file transfer program, researchers and potentially affected organizations have been trying to pick up the pieces.

Some notable victims of this campaign began coming to light. The government of Nova Scotia is currently trying to gauge how much of its citizens’ data has been stolen, and a breach at Zellis, a UK payroll company, has caused downstream compromises for some of its high-profile clients, including Boots, the BBC, and British Airways.


Where attribution is concerned, as of June 2, Mandiant had been treating the perpetrators as a potentially novel group, with potential links to the FIN11 cybercrime gang, known for its ransomware and extortion campaigns and status as a Clop affiliate.

Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site. The threat actor has used similar vulnerabilities in the past to steal data & extort victims.

As Microsoft points out, there have been two kinds of victims of Lace Tempest. First are victims with an exploited server where a web shell was dropped (and potentially interacted with to conduct reconnaissance). The second type is victims, where Lace Tempest has stolen data.

As a bare minimum, customers not only patch but also “go through those logs, see what artifacts are there, see if you can remove any other hooks and claws. Even if you patch, go make sure that the web shell has been removed and deleted. It’s a matter of due diligence here.”


MoveIt joins the list of file transfer services like IBM’s Aspera Faspex and Fortra’s GoAnywhere service. Not long before, in 2021, Accelion was also observed exploited by threat actors

Leave a Reply

%d bloggers like this: