2023 MOVEit data breach explained

Type:Cyberattack, data breach
Cause:MOVEit vulnerabilities
First Reporter:Progress Software
Suspects:Cl0p

A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software.

Background

MOVEit is a managed file transfer software developed by Ipswitch, Inc., a subsidiary of Progress Software.

Methodology

A vulnerability in MOVEit allows attackers to steal files from organizations through SQL injection on public-facing servers. The transfers are facilitated through a custom web shell identified as LemurLoot. Disguised as ASP.NET files used legitimately by MOVEit, LemurLoot can steal Microsoft Azure Storage Blob information.[1]

Discovery

According to cybersecurity firm Mandiant, the MOVEit vulnerability began being used on May 27, 2023.[1]

Responsibility

According to the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, the breaches are being conducted by Cl0p, a Russian-affiliated cyber gang.[2]

Impact

On June 3, the Government of Nova Scotia estimated that as many as 100,000 present and past employees were impacted by the breach.[3]

On June 5, various organizations in the United Kingdom, including the BBC, British Airways, Boots, Aer Lingus, and payroll service Zellis were breached.[4] On June 12, Ernst & Young, Transport for London, and Ofcom separately announced that they had been affected, with Ofcom announcing that personal and confidential information was downloaded.[5]

On June 15, CNN reported that the United States Department of Energy was among multiple United States government organizations affected by the MOVEit vulnerability.[6] The following day, it was reported that the Louisiana Office of Motor Vehicles and Oregon Driver and Motor Vehicle Services were hit, affecting millions of residents.[7]

A running total maintained by cybersecurity company Emsisoft showed that more than 2,500 organizations were known to have been impacted as at October 25, 2023 with more than 80 percent of those organizations being US-based.[8]

Response

The MOVEit team has worked with industry experts to investigate the May 31 incident. Cybersecurity and Infrastructure Security Agency (CISA),[9] CrowdStrike,[10] Mandiant,[11] Microsoft,[12] Huntress[13] and Rapid7[14] have assisted with incident response and ongoing investigations.[15] Cyber industry experts have credited the MOVEit team for its response and handling of the incident by quickly providing patches, as well as regular and informative advisories that helped support rapid remediation.[16] [17] [18]

Notes and References

  1. Web site: Mass exploitation of critical MOVEit flaw is ransacking orgs big and small . June 5, 2023 . Goodin . Dan . . June 15, 2023.
  2. Web site: Russian Ransomware Group Breached Federal Agencies in Cyberattack . June 15, 2023 . Montague . Zach . . June 15, 2023.
  3. Web site: Government of Nova Scotia . 2023-06-04 . Privacy breach alerts and information . 2023-06-25 . Nova Scotia Cyber Security and Digital Solutions . en.
  4. Web site: MOVEit hack: BBC, BA and Boots among cyber attack victims . June 5, 2023 . Tidy . Joe . . June 15, 2023.
  5. Web site: MOVEit hack: Media watchdog Ofcom latest victim of mass hack . June 12, 2023 . Vallance . Chris . . June 15, 2023.
  6. Web site: US government agencies hit in global cyberattack . June 15, 2023 . Lyngaas . Sean . . June 15, 2023.
  7. Web site: Millions of Americans' personal data exposed in global hack . June 16, 2023 . Lyngaas . Sean . . June 15, 2023.
  8. Unpacking the MOVEit Breach: Statistics and Analysis,
  9. Web site: #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability . June 7, 2023 . June 7, 2023.
  10. Web site: Movin' Out: Identifying Data Exfiltration in MOVEit Transfer Investigations . June 5, 2023 . Lioi . Tyler . Palka . Sean . June 5, 2023.
  11. Web site: Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft . June 2, 2023 . Zaveri . Nader . Kennelly . Jeremy . Stark . Genevieve . June 2, 2023.
  12. Web site: @MsftSecIntel . June 4, 2023 . June 4, 2023.
  13. Web site: MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response . June 1, 2023 . Hammond . John . June 1, 2023.
  14. Web site: Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability . June 1, 2023 . Condon . Caitlyn . June 1, 2023.
  15. Web site: MOVEit mass exploit timeline: How the file-transfer service attacks entangled victims . June 14, 2023 . Kapko . Matt . June 26, 2023.
  16. News: Cyberdefenders respond to hack of file-transfer tool . June 7, 2023 . Starks . Tim . . June 7, 2023.
  17. Web site: Inside the MOVEit Attack: Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners . July 4, 2023 . July 4, 2023.
  18. Web site: New research reveals rapid remediation of MOVEit Transfer vulnerabilities . July 20, 2023 . Stone . Noah . . July 20, 2023.