2023 MOVEit data breach

MOVEit, a managed file transfer software developed by Ipswitch, Inc., a subsidiary of Progress Software, is widely used for securely transmitting large volumes of sensitive data across various industries, including government and highly regulated sectors. On May 28, 2023, a vulnerability in the MOVEit software was reported following unusual activity detected by a customer. This zero-day vulnerability enabled attackers to exploit public-facing servers via SQL injection, facilitating unauthorized file theft. The attacks were conducted using a custom web shell, known as LEMURLOOT, which impersonates legitimate ASP.NET files and can extract Microsoft Azure Storage Blob data.

According to cybersecurity firm Mandiant, the MOVEit vulnerability began being used on May 27, 2023.{{Cite web |last=Goodin |first=Dan |date=June 5, 2023 |title=Mass exploitation of critical MOVEit flaw is ransacking orgs big and small |url=https://arstechnica.com/information-technology/2023/06/mass-exploitation-of-critical-moveit-flaw-is-ransacking-orgs-big-and-small/ |access-date=June 15, 2023 |work=Ars Technica}}

On May 31 Progress Software released a patch for the vulnerability and stated the vulnerability “could lead to escalated privileges and potential unauthorized access to the environment”.{{Cite web |last=Simas |first=Zach |date=2023-07-18 |title=Unpacking the MOVEit Breach: Statistics and Analysis |url=https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/ |access-date=2024-11-27 |website=Emsisoft {{!}} Cybersecurity Blog |language=en-US}}

On June 3, the Government of Nova Scotia estimated that as many as 100,000 present and past employees were impacted by the breach.{{Cite web |author-link=Government of Nova Scotia |date=2023-06-04 |title=Privacy breach alerts and information |url=https://novascotia.ca/privacy-breach/ |access-date=2023-06-25 |website=Nova Scotia Cyber Security and Digital Solutions |language=en}}

On June 5, various organizations in the United Kingdom, including the BBC, British Airways, Boots, Aer Lingus, and payroll service Zellis were breached.{{Cite web |last=Tidy |first=Joe |date=June 5, 2023 |title=MOVEit hack: BBC, BA and Boots among cyber attack victims |url=https://www.bbc.com/news/technology-65814104 |access-date=June 15, 2023 |publisher=BBC}}

On June 6, Cl0p claimed responsibility for the attack on its site on the dark web. Cl0p claimed that the data stole from governments had been deleted (this was later disproved).

On June 12, Ernst & Young, Transport for London, and Ofcom separately announced that they had been affected, with Ofcom announcing that personal and confidential information was downloaded.{{Cite web |last=Vallance |first=Chris |date=June 12, 2023 |title=MOVEit hack: Media watchdog Ofcom latest victim of mass hack |url=https://www.bbc.com/news/technology-65877210 |access-date=June 15, 2023 |publisher=BBC}}

On June 15, CNN reported that the United States Department of Energy was among multiple United States government organizations affected by the MOVEit vulnerability.{{Cite web |last=Lyngaas |first=Sean |date=June 15, 2023 |title=US government agencies hit in global cyberattack |url=https://www.cnn.com/2023/06/15/politics/us-government-hit-cybeattack/index.html |access-date=June 15, 2023 |publisher=CNN}} The following day, it was reported that the Louisiana Office of Motor Vehicles and Oregon Driver and Motor Vehicle Services were hit, affecting millions of residents.{{Cite web |last=Lyngaas |first=Sean |date=June 16, 2023 |title=Millions of Americans' personal data exposed in global hack |url=https://www.cnn.com/2023/06/16/politics/cyberattack-us-government/index.html |access-date=June 15, 2023 |publisher=CNN}}

According to the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation, the breaches are being conducted by Cl0p, a Russian-affiliated cyber gang.{{Cite web |url=https://www.nytimes.com/2023/06/15/us/politics/russian-ransomware-cyberattack-clop-moveit.html |title=Russian Ransomware Group Breached Federal Agencies in Cyberattack |date=June 15, 2023 |last=Montague |first=Zach |work=The New York Times |access-date=June 15, 2023}}

A running total maintained by cybersecurity company Emsisoft showed that more than 2,500 organizations were known to have been impacted as at October 25, 2023, with more than 80 percent of those organizations being US-based.[https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/ Unpacking the MOVEit Breach: Statistics and Analysis],

Cybersecurity and Infrastructure Security Agency (CISA),{{Cite web |url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a |title=#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability |date=June 7, 2023 |access-date=June 7, 2023}} CrowdStrike,{{Cite web |url=https://www.crowdstrike.com/blog/identifying-data-exfiltration-in-moveit-transfer-investigations/ |title=Movin' Out: Identifying Data Exfiltration in MOVEit Transfer Investigations |date=June 5, 2023 |last1=Lioi |first1=Tyler |last2=Palka |first2=Sean |access-date=June 5, 2023}} Mandiant,{{Cite web |url=https://www.mandiant.com/resources/blog/zero-day-moveit-data-theft |title=Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft |date=June 2, 2023 |last1=Zaveri |first1=Nader |last2=Kennelly |first2=Jeremy | last3=Stark |first3=Genevieve |access-date=June 2, 2023}} Microsoft,{{Cite web |url=https://twitter.com/MsftSecIntel/status/1665537730946670595 |title=@MsftSecIntel |date=June 4, 2023 |access-date=June 4, 2023}} Huntress{{Cite web |url=https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response |title=MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response |date=June 1, 2023 | last=Hammond |first=John |access-date=June 1, 2023}} and Rapid7{{Cite web |url=https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of-critical-moveit-transfer-vulnerability/ |title=Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability |date=June 1, 2023 |last=Condon |first=Caitlyn |access-date=June 1, 2023}} have assisted with incident response and ongoing investigations.{{Cite web |url=https://www.cybersecuritydive.com/news/moveit-breach-timeline/687417/ |title=MOVEit mass exploit timeline: How the file-transfer service attacks entangled victims |date=June 14, 2023 |last=Kapko |first=Matt |access-date=June 26, 2023}} Cyber industry experts have credited the MOVEit team for its response and handling of the incident by quickly providing patches{{Cite news |url=https://www.washingtonpost.com/politics/2023/06/07/cyberdefenders-respond-hack-file-transfer-tool/ |title=Cyberdefenders respond to hack of file-transfer tool |date=June 7, 2023 |last=Starks |first=Tim |newspaper=The Washington Post |access-date=June 7, 2023}}{{Cite web |url=https://www.infosecurity-magazine.com/podcasts/infosec-mag-pod-july-2023// |title=Inside the MOVEit Attack: Decrypting Clop's TTPs and Empowering Cybersecurity Practitioners |date=July 4, 2023 |access-date=July 4, 2023}} In general, patches for the flaw were rapidly used.{{Cite web |url=https://www.bitsight.com/blog/new-research-reveals-rapid-remediation-moveit-transfer-vulnerabilities/ |title=New research reveals rapid remediation of MOVEit Transfer vulnerabilities |date=July 20, 2023 |last=Stone |first=Noah | publisher=BitSight | access-date=July 20, 2023}}

{{reflist}}

{{Hacking in the 2020s}}

Category:2023 in computing

Category:Progress Software

Category:Computer security exploits

Category:Cyberattacks

Category:Data breaches

Category:Hacking in the 2020s

Category:Software bugs