Who are Lace Tempest?


The on going attack of Progress Software MOVEit Transfer applications has been attributed by Microsoft to Lace Tempest. The Microsoft threat intelligence team has been quoted as follows:

“Exploitation is often followed by deployment of a web shell with data exfiltration capabilities.”

The Microsoft Threat Intel team said in tweets:

CVE-2023-34362 allows attackers to authenticate as any user.”

Lace tempest are also known as Storm-0950 which is a ransomware affiliate that overlaps in its activities with FIN11, TA505 and Evil Corp. They are also know to run the Cl0p extortion site.

This threat actor has a record of taking advantage of different zero day vulnerabilities to exfiltrate data and extort their victims. It has been recently seen that they have been weaponizing a critical bug in PaperCut Servers.


This has to do with an SQL injection vulnerability in MOVEit Transfer. This vulnerability allows an unauthenticated, remote attacker to obtain access to the applications database and execute arbitrary code.

According to attack surface management company Censys, it is believed that there are roughly 3,000 exposed machines that utilize the MOVEit Transfer service.

Mandiant, which is Google owned, is tracking these activities under UNC4857 and had given the name LEMURLOOT for the web shell. It also noted a wide set of tactical connections with FIN11.

CISA (US Cybersecurity & Infrastructure Security Agency), said last week that it added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue. It has also recommended federal agencies to urgently apply patches by the 23rd June 2023.

These developments follow a similar zero day exploitation of Accellion FTA servers in December 2020, and GoAnywhere MFT in January 2023. This makes it extremely important that patches are applied as soon as possible to mitigate the risks of this vulnerability.



Leave a Reply

Your email address will not be published. Required fields are marked *