Blog Post

MOVEit File Transfer Zero-Day Compromises Multiple Organizations

June 8, 2023

Table of Contents

Overview of the the MOVEit Data Breach

An attack exploiting CVE-2023-34362, a zero-day vulnerability in the MOVEit file transfer software, was disclosed at the start of June, with additional victims still being uncovered. The vulnerability is an SQL injection vulnerability that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.

The attack was carried out by at least one threat actor who gained unauthorized access to the software and stole sensitive data from affected organizations. Microsoft attributes the attack to the Lace Tempest group, the group behind the Clop ransomware operation. So far, the list of known victims includes the BBC, British Airways, Boots, the University of Rochester, and the provincial government of Nova Scotia in Canada.

On the Clop website, the group claimed responsibility for the exploit and the attack, also saying they are the only group which performed such an attack.

The MOVEit data breach attack was carried out by a threat actor who gained unauthorized access.

Clop has provided victims of the attack until June 14th to contact them and negotiate an extortion payment, after which the name of the victim and their data will be posted on the Clop website.

As additional victims continue to be revealed, it is worth noting that Clop has attacked over 100 known victims this year, with most victims coming from the healthcare and computer services industries (8% each), followed by financial services organizations (7%).

How to Protect Yourself Against a Breach

The vulnerability has been patched by Progress Software as of June 2nd, however evidence suggests attackers have started exploiting the vulnerability on May 27th, so organizations which have been compromised before the patch are not retroactively protected.

If you use MoveIT file transfer software, it is important to check your systems for signs of compromise and to implement the patch as soon as possible. Progress Software published a security bulletin, available at https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023. The bulletin includes recommended remediation steps, and possible indicators of compromise.

Quantify the cyber risk your organization experiences due to its third-party service providers.

Some Real Cyber Vulnerability World Data

According to Shodan’s data, there are currently slightly more than 2500 devices on the internet exposed to CVE-2023-34362. The devices are located mostly in the US (73% of affected devices), followed by the United Kingdom (5%), with the third most affected country being Germany (4.5%).

There are more than 2500 devices on the internet worldwide exposed to CVE-2023-34362.

Greynoise scanning data shows that scanning for exposed MOVEit servers started being noticeable on June 1st, and reached a peak on June 4th, before greatly decreasing on June 5th and 6th, meaning attackers are finding this exploit less profitable.

Guy Propper

Data Team Lead

More Blog Posts
Explore All Blog Posts
Industry Recognition