Key Takeaways
What is MOVEit (CVE-2023-34362)?
To date, over 2300 organizations have confirmed being victims of MOVEit-related data breaches. Threat actors can potentially use the stolen information for extortion, to gain access to both business and personal accounts, and to engage in identity theft, among other nefarious activities.
MOVEit Attack on CCleaner
CCleaner, a popular optimization app owned by Gen Digital, was reportedly targeted using the MOVEit vulnerability. According to Gen Digital, the threat actors responsible for the attack stole the personal information of paid customers in the attacks, which occurred in May 2023. Stolen information included customer names, contact information, product information, phone numbers, email addresses, and billing addresses. Only about 2% of the customer base was affected by the data theft. While the company did not state the number of customers affected by the breach, they reportedly have around 65 million paid customers across various products offered. Some industry reports have suggested Cl0p may be responsible for the attack. As of the time of writing, Cl0p has not listed CCleaner on its data leaks website.
MOVEit Attack on US Government and Defense Entities
The MOVEit vulnerability has also been leveraged to target US-based government and defense entities. The US Department of Justice was targeted using MOVEit. Additionally, the Office of Personnel Management (OPM) was the victim of a MOVEit breach. Affected personnel include those affiliated with the Department of Defense, including the Air Force, Army, Army Corps of Engineers, the Office of the Secretary of Defense, and Joint Staff officials. The email addresses of over 630,000 employees were accessed in the attacks.
IOCs
PolySwarm is currently monitoring for additional MOVEit exploits.
You can use the following CLI command to search for all associated samples in our portal:
$ polyswarm link list -f MOVEit
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.