2023 MOVEit data breach

Last updated

2023 MOVEit data breach
Type Cyberattack, data breach
Cause MOVEit vulnerabilities
First reporter Progress Software
Suspects Cl0p

A wave of cyberattacks and data breaches began in June 2023 after a vulnerability was discovered in MOVEit, a managed file transfer software.

Contents

Background

MOVEit is a managed file transfer software developed by Ipswitch, Inc., a subsidiary of Progress Software.

Methodology

A vulnerability in MOVEit allows attackers to steal files from organizations through SQL injection on public-facing servers. The transfers are facilitated through a custom web shell identified as LemurLoot. Disguised as ASP.NET files used legitimately by MOVEit, LemurLoot can steal Microsoft Azure Storage Blob information. [1]

Discovery

According to cybersecurity firm Mandiant, the MOVEit vulnerability began being used on May 27, 2023. [1]

Responsibility

According to the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, the breaches are being conducted by Cl0p, a Russian-affiliated cyber gang. [2]

Impact

On June 3, the Government of Nova Scotia estimated that as many as 100,000 present and past employees were impacted by the breach. [3]

On June 5, various organizations in the United Kingdom, including the BBC, British Airways, Boots, Aer Lingus, and payroll service Zellis were breached. [4] On June 12, Ernst & Young, Transport for London, and Ofcom separately announced that they had been affected, with Ofcom announcing that personal and confidential information was downloaded. [5]

On June 15, CNN reported that the United States Department of Energy was among multiple United States government organizations affected by the MOVEit vulnerability. [6] The following day, it was reported that the Louisiana Office of Motor Vehicles and Oregon Driver and Motor Vehicle Services were hit, affecting millions of residents. [7]

A running total maintained by cybersecurity company Emsisoft showed that more than 2,500 organizations were known to have been impacted as at October 25, 2023 with more than 80 percent of those organizations being US-based. [8]

Response

The MOVEit team has worked with industry experts to investigate the May 31 incident. Cybersecurity and Infrastructure Security Agency (CISA), [9] CrowdStrike, [10] Mandiant, [11] Microsoft, [12] Huntress [13] and Rapid7 [14] have assisted with incident response and ongoing investigations. [15] Cyber industry experts have credited the MOVEit team for its response and handling of the incident by quickly providing patches, as well as regular and informative advisories that helped support rapid remediation. [16] [17] [18]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Progress Software Corporation (Progress) is an American public company that produces software for creating and deploying business applications. Founded in Burlington, Massachusetts with offices in 16 countries, the company posted revenues of $531.3 million (USD) in 2021 and employs approximately 2100 people.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

Mandiant is an American cybersecurity firm and a subsidiary of Google. It rose to prominence in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireEye for $1 billion, who eventually sold the FireEye product line, name, and its employees to Symphony Technology Group for $1.2 billion in June 2021.

Lazarus Group is a cybercrime group made up of an unknown number of individuals run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and Zinc. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

MOVEit is a managed file transfer software product produced by Ipswitch, Inc.. MOVEit encrypts files and uses file transfer protocols such as FTP(S) or SFTP to transfer data, as well as providing automation services, analytics and failover options. The software has been used in the healthcare industry by companies such as Rochester Hospital and Medibank, as well as thousands of IT departments in high technology, government, and financial service companies like Zellis.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an Advanced Persistent Threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, and Iron Viking.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

DarkSide is a cybercriminal hacking group, believed to be based in Russia, that targets victims using ransomware and extortion; it is believed to be behind the Colonial Pipeline cyberattack. It is thought that they have been able to hack and extort money from around 90 companies in the USA alone. The group provides ransomware as a service.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

Pipedream is a software framework for malicious code targeting programmable logic controllers (PLCs) and industrial control systems (ICS). First publicly disclosed in 2022, it has been described as a "Swiss Army knife" for hacking. It is believed to have been developed by state-level Advanced Persistent Threat actors.

Clop is a cybercriminal organization known for its multilevel extortion techniques and global malware distribution. It has extorted more than $500 million in ransom payments, targeting major organizations worldwide. Clop gained notoriety in 2019 and has since conducted high-profile attacks, using large-scale phishing campaigns and sophisticated malware to infiltrate networks and demand ransom, threatening to expose data if demands are not met.

References

  1. 1 2 Goodin, Dan (June 5, 2023). "Mass exploitation of critical MOVEit flaw is ransacking orgs big and pompom". Ars Technica . Retrieved June 15, 2023.
  2. Montague, Zach (June 15, 2023). "Russian Ransomware Group Breached Federal Agencies in Cyberattack". The New York Times . Retrieved June 15, 2023.
  3. "Privacy breach alerts and information". Nova Scotia Cyber Security and Digital Solutions. June 4, 2023. Retrieved June 25, 2023.
  4. Tidy, Joe (June 5, 2023). "MOVEit hack: BBC, BA and Boots among cyber attack victims". BBC . Retrieved June 15, 2023.
  5. Vallance, Chris (June 12, 2023). "MOVEit hack: Media watchdog Ofcom latest victim of mass hack". BBC . Retrieved June 15, 2023.
  6. Lyngaas, Sean (June 15, 2023). "US government agencies hit in global cyberattack". CNN . Retrieved June 15, 2023.
  7. Lyngaas, Sean (June 16, 2023). "Millions of Americans' personal data exposed in global hack". CNN . Retrieved June 15, 2023.
  8. Unpacking the MOVEit Breach: Statistics and Analysis ,
  9. "#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability". June 7, 2023. Retrieved June 7, 2023.
  10. Lioi, Tyler; Palka, Sean (June 5, 2023). "Movin' Out: Identifying Data Exfiltration in MOVEit Transfer Investigations" . Retrieved June 5, 2023.
  11. Zaveri, Nader; Kennelly, Jeremy; Stark, Genevieve (June 2, 2023). "Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft" . Retrieved June 2, 2023.
  12. "@MsftSecIntel". June 4, 2023. Retrieved June 4, 2023.
  13. Hammond, John (June 1, 2023). "MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response" . Retrieved June 1, 2023.
  14. Condon, Caitlyn (June 1, 2023). "Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability" . Retrieved June 1, 2023.
  15. Kapko, Matt (June 14, 2023). "MOVEit mass exploit timeline: How the file-transfer service attacks entangled victims" . Retrieved June 26, 2023.
  16. Starks, Tim (June 7, 2023). "Cyberdefenders respond to hack of file-transfer tool". The Washington Post . Retrieved June 7, 2023.
  17. "Inside the MOVEit Attack: Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners". July 4, 2023. Retrieved July 4, 2023.
  18. Stone, Noah (July 20, 2023). "New research reveals rapid remediation of MOVEit Transfer vulnerabilities". BitSight . Retrieved July 20, 2023.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.