2023 MOVEit data breach

Last updated

2023 MOVEit data breach
Type Cyberattack, data breach
Cause MOVEit vulnerabilities
First reporter Progress Software
Suspects Cl0p

A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software. Thousands of organisations and almost 100 million individuals were affected.

Contents

Background

MOVEit is a managed file transfer software developed by Ipswitch, Inc., a subsidiary of Progress Software. A vulnerability in the software allows attackers to steal files from organizations through SQL injection on public-facing servers. The transfers are facilitated through a custom web shell identified as LemurLoot. Disguised as ASP.NET files used legitimately by MOVEit, LemurLoot can steal Microsoft Azure Storage Blob information. [1]

Timeline

According to cybersecurity firm Mandiant, the MOVEit vulnerability began being used on May 27, 2023. [1]

On May 31 Progress Software released a patch for the vulnerability and stated the vulnerability “could lead to escalated privileges and potential unauthorized access to the environment”. [2]

On June 3, the Government of Nova Scotia estimated that as many as 100,000 present and past employees were impacted by the breach. [3]

On June 5, various organizations in the United Kingdom, including the BBC, British Airways, Boots, Aer Lingus, and payroll service Zellis were breached. [4]

On June 6, Cl0p claimed responsibility for the attack on its site on the dark web. Cl0p claimed that the data stole from governments had been deleted (this was later disproved). [2]

On June 12, Ernst & Young, Transport for London, and Ofcom separately announced that they had been affected, with Ofcom announcing that personal and confidential information was downloaded. [5]

On June 15, CNN reported that the United States Department of Energy was among multiple United States government organizations affected by the MOVEit vulnerability. [6] The following day, it was reported that the Louisiana Office of Motor Vehicles and Oregon Driver and Motor Vehicle Services were hit, affecting millions of residents. [7]

Responsibility

According to the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, the breaches are being conducted by Cl0p, a Russian-affiliated cyber gang. [8]

Impact

A running total maintained by cybersecurity company Emsisoft showed that more than 2,500 organizations were known to have been impacted as at October 25, 2023 with more than 80 percent of those organizations being US-based. [9]

Response

Cybersecurity and Infrastructure Security Agency (CISA), [10] CrowdStrike, [11] Mandiant, [12] Microsoft, [13] Huntress [14] and Rapid7 [15] have assisted with incident response and ongoing investigations. [16] Cyber industry experts have credited the MOVEit team for its response and handling of the incident by quickly providing patches [17] [18] In general, patches for the flaw where rapidly used. [19]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that can lead to unauthorized information disclosure, theft or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Progress Software Corporation is an American public company that produces software for creating and deploying business applications. Founded in Burlington, Massachusetts with offices in 16 countries, the company posted revenues of $531.3 million (USD) in 2021 and employs approximately 2100 people.

Vulnerabilities are flaws in a computer system that weaken the overall security of the system.

A zero-day is a vulnerability in software or hardware that is typically unknown to the vendor and for which no patch or other fix is available. The vendor has zero days to prepare a patch as the vulnerability has already been described or exploited.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

A cyberattack occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content.

Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

The Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them since 2010. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

MOVEit is a managed file transfer software product produced by Ipswitch, Inc.. MOVEit encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options. The software has been used in the healthcare industry by companies such as Rochester Hospital and Medibank, as well as thousands of IT departments in high technology, government, and financial service companies like Zellis.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include APT44, Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

Emsisoft Ltd. is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

In mid-May 2021 hospital computer systems and phone lines run by the Waikato District Health Board (DHB) in New Zealand were affected by a ransomware attack. On 25 May, an unidentified group claimed responsibility for the hack and issued an ultimatum to the Waikato DHB, having obtained sensitive data about patients, staff and finances. The Waikato DHB and New Zealand Government ruled out paying the ransom.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability reported in November 2021 in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

References

  1. 1 2 Goodin, Dan (June 5, 2023). "Mass exploitation of critical MOVEit flaw is ransacking orgs big and small". Ars Technica . Retrieved June 15, 2023.
  2. 1 2 Simas, Zach (July 18, 2023). "Unpacking the MOVEit Breach: Statistics and Analysis". Emsisoft | Cybersecurity Blog. Retrieved November 27, 2024.
  3. "Privacy breach alerts and information". Nova Scotia Cyber Security and Digital Solutions. June 4, 2023. Retrieved June 25, 2023.
  4. Tidy, Joe (June 5, 2023). "MOVEit hack: BBC, BA and Boots among cyber attack victims". BBC . Retrieved June 15, 2023.
  5. Vallance, Chris (June 12, 2023). "MOVEit hack: Media watchdog Ofcom latest victim of mass hack". BBC . Retrieved June 15, 2023.
  6. Lyngaas, Sean (June 15, 2023). "US government agencies hit in global cyberattack". CNN . Retrieved June 15, 2023.
  7. Lyngaas, Sean (June 16, 2023). "Millions of Americans' personal data exposed in global hack". CNN . Retrieved June 15, 2023.
  8. Montague, Zach (June 15, 2023). "Russian Ransomware Group Breached Federal Agencies in Cyberattack". The New York Times . Retrieved June 15, 2023.
  9. Unpacking the MOVEit Breach: Statistics and Analysis ,
  10. "#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability". June 7, 2023. Retrieved June 7, 2023.
  11. Lioi, Tyler; Palka, Sean (June 5, 2023). "Movin' Out: Identifying Data Exfiltration in MOVEit Transfer Investigations" . Retrieved June 5, 2023.
  12. Zaveri, Nader; Kennelly, Jeremy; Stark, Genevieve (June 2, 2023). "Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft" . Retrieved June 2, 2023.
  13. "@MsftSecIntel". June 4, 2023. Retrieved June 4, 2023.
  14. Hammond, John (June 1, 2023). "MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response" . Retrieved June 1, 2023.
  15. Condon, Caitlyn (June 1, 2023). "Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability" . Retrieved June 1, 2023.
  16. Kapko, Matt (June 14, 2023). "MOVEit mass exploit timeline: How the file-transfer service attacks entangled victims" . Retrieved June 26, 2023.
  17. Starks, Tim (June 7, 2023). "Cyberdefenders respond to hack of file-transfer tool". The Washington Post . Retrieved June 7, 2023.
  18. "Inside the MOVEit Attack: Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners". July 4, 2023. Retrieved July 4, 2023.
  19. Stone, Noah (July 20, 2023). "New research reveals rapid remediation of MOVEit Transfer vulnerabilities". BitSight . Retrieved July 20, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.