Microsoft has officially linked a series of recent attacks exploiting a zero-day vulnerability in Progress Software’ MOVEit MFT (Managed File Transfer) protocol to a threat actor it tracks as Lace Tempest, known for conducting ransomware operations and running the Clop ransomware extortion site.

Last week, reports emerged that threat actors are attempting to steal data from organizations using a previously unknown flaw in MOVEit MFT. The zero-day bug is an SQL injection vulnerability that could lead to escalated privileges and potential unauthorized access to the environment. All MOVEit Transfer versions are said to be affected. The software maker has released MOVEit Transfer 2023.0.1, 2022.1.5, 2022.0.4, 2021.1.4, and 2021.0.6 to address the issue. The company urged customers to disable all HTTP and HTTPs traffic to their MOVEit Transfer environment.

According to security researchers, hackers have been exploiting the flaw for at least a month to steal data. Rapid7 said it has noticed an uptick in cases of compromise linked to the flaw since it was disclosed. As of May 31, there were roughly 2,500 instances of MOVEit Transfer exposed to the public internet, the majority of which appear to be in the US.

Data from attack surface management company Censys indicates that there are more than 3,000 hosts currently utilizing the MOVEit service.

Lace Tempest (aka Storm-0950) is a ransomware affiliate that overlaps with other cybercriminal groups like FIN11, TA505, and Evil Corp.

“Exploitation is often followed by deployment of a web shell w/ data exfil capabilities. CVE-2023-34362 allows attackers to authenticate as any user,” Microsoft explained in a series of tweets, urging organizations to apply security patches as soon as possible to address the CVE-2023-34362 vulnerability and reduce the risk of attacks.