Verticals Targeted: Defense, Government, Technology
Executive Summary
The MOVEit vulnerability tracked as CVE-2023-34362, was first observed in May 2023. It has since been observed targeting additional entities, including those in the technology, government, and defense verticals.
Key Takeaways
- CVE-2023-34362 is a critical SQL injection vulnerability affecting Progress Software’s MOVEit Transfer managed file transfer (MFT) software.
- The vulnerability, first discovered in May 2023, allows an unauthenticated threat actor to access databases associated with MOVEit.
- Recently disclosed victims include CCleaner and entities in the US defense and government verticals.
What is MOVEit (CVE-2023-34362)?
CVE-2023-34362 is a critical SQL injection vulnerability affecting Progress Software’s MOVEit Transfer managed file transfer (MFT) software. The vulnerability, first discovered in May 2023, allows an unauthenticated threat actor to access databases associated with MOVEit. MOVEit Cloud was initially affected by the vulnerability, but a backend fix remedied the situation. Progress Software has also issued updates to patch other currently used MOVEit versions. PolySwarm previously reported on Cl0p using the MOVEit vulnerability to deliver the LemurLoot webshell.
To date, over 2300 organizations have confirmed being victims of MOVEit-related data breaches. Threat actors can potentially use the stolen information for extortion, to gain access to both business and personal accounts, and to engage in identity theft, among other nefarious activities.
MOVEit Attack on CCleaner
CCleaner, a popular optimization app owned by Gen Digital, was reportedly targeted using the MOVEit vulnerability. According to Gen Digital, the threat actors responsible for the attack stole the personal information of paid customers in the attacks, which occurred in May 2023. Stolen information included customer names, contact information, product information, phone numbers, email addresses, and billing addresses. Only about 2% of the customer base was affected by the data theft. While the company did not state the number of customers affected by the breach, they reportedly have around 65 million paid customers across various products offered. Some industry reports have suggested Cl0p may be responsible for the attack. As of the time of writing, Cl0p has not listed CCleaner on its data leaks website.
MOVEit Attack on US Government and Defense Entities
The MOVEit vulnerability has also been leveraged to target US-based government and defense entities. The US Department of Justice was targeted using MOVEit. Additionally, the Office of Personnel Management (OPM) was the victim of a MOVEit breach. Affected personnel include those affiliated with the Department of Defense, including the Air Force, Army, Army Corps of Engineers, the Office of the Secretary of Defense, and Joint Staff officials. The email addresses of over 630,000 employees were accessed in the attacks.
IOCs
PolySwarm is currently monitoring for additional MOVEit exploits.
You can use the following CLI command to search for all associated samples in our portal:
$ polyswarm link list -f MOVEit
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.