Discovered in May 2023, a critical vulnerability in the

MOVEit MOVEit is a managed file transfer software product produced by Ipswitch, Inc. (now part of Progress Software). MOVEit encrypts files and uses file transfer protocols such as FTP( S) or SFTP to transfer data, as well as providing automation serv ...

managed file transfer Managed file transfer (MFT) is a technology that provides the secure transfer of data in an efficient and reliable manner. MFT software is marketed to companies as a more secure alternative to using insecure protocols like FTP (file transfer prot ...

software triggered a wave of

cyberattacks A cyberattack (or cyber attack) occurs when there is an unauthorized action against computer infrastructure that compromises the confidentiality, integrity, or availability of its content. The rising dependence on increasingly complex and inte ...

and data breaches. Exploited by the notorious ransomware group CL0P, the flaw enabled unauthorized access to sensitive

databases In computing, a database is an organized collection of data or a type of data store based on the use of a database management system (DBMS), the software that interacts with end users, applications, and the database itself to capture and ana ...

, leading to the compromise of over 2,700 organizations and exposing the personal data of approximately 93.3 million individuals. The breach had far-reaching effects across sectors like healthcare, finance, and government, emphasizing the systemic risks inherent in the interconnected nature of the digital supply chain.

Background

, a managed file transfer software developed by Ipswitch, Inc., a subsidiary of

Progress Software Progress Software Corporation is an American public company that produces software for creating and deploying business applications. Founded in Burlington, Massachusetts with offices in 16 countries, the company posted revenues of $531.3 mill ...

, is widely used for securely transmitting large volumes of sensitive data across various industries, including government and highly regulated sectors. On May 28, 2023, a vulnerability in the MOVEit software was reported following unusual activity detected by a customer. This

zero-day vulnerability A zero-day (also known as a 0-day) is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or z ...

enabled attackers to exploit public-facing servers via

SQL injection In computing, SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injec ...

, facilitating unauthorized file theft. The attacks were conducted using a custom web shell, known as LEMURLOOT, which impersonates legitimate ASP.NET files and can extract Microsoft Azure Storage Blob data.

Timeline

According to cybersecurity firm

Mandiant Mandiant, Inc. is an American cybersecurity firm and a subsidiary of Google. Mandiant received attention in February 2013 when it released a report directly implicating China in cyber espionage. In December 2013, Mandiant was acquired by FireE ...

, the MOVEit vulnerability began being used on May 27, 2023. On May 31 Progress Software released a patch for the vulnerability and stated the vulnerability “could lead to escalated privileges and potential unauthorized access to the environment”. On June 3, the

Government of Nova Scotia The Government of Nova Scotia (, ) is the government of the Provinces and territories of Canada, Canadian province of Nova Scotia. The powers and structure of the province are set out in the Constitution Act, 1867. In modern Canadian use, the term ...

estimated that as many as 100,000 present and past employees were impacted by the breach. On June 5, various organizations in the United Kingdom, including the

BBC The British Broadcasting Corporation (BBC) is a British public service broadcaster headquartered at Broadcasting House in London, England. Originally established in 1922 as the British Broadcasting Company, it evolved into its current sta ...

British Airways British Airways plc (BA) is the flag carrier of the United Kingdom. It is headquartered in London, England, near its main Airline hub, hub at Heathrow Airport. The airline is the second largest UK-based carrier, based on fleet size and pass ...

Boots A boot is a type of footwear. Most boots mainly cover the foot and the ankle, while some also cover some part of the lower calf. Some boots extend up the leg, sometimes as far as the knee or even the hip. Most boots have a heel that is clearl ...

Aer Lingus Aer Lingus ( ; an anglicisation of the Irish language, Irish , meaning "air fleet") is an Irish airline company which is the flag carrier of Republic of Ireland, Ireland. Founded by the Irish Government, it was privatised between 2006 and 201 ...

, and payroll service Zellis were breached. On June 6, Cl0p claimed responsibility for the attack on its site on the dark web. Cl0p claimed that the data stole from governments had been deleted (this was later disproved). On June 12,

Ernst & Young EY, previously known as Ernst & Young, is a multinational corporation, multinational professional services partnership, network based in London, United Kingdom. Along with Deloitte, KPMG and PwC, it is one of the Big Four accounting firms, Big F ...

Transport for London Transport for London (TfL) is a local government body responsible for most of the transport network in London, United Kingdom. TfL is the successor organization of the London Passenger Transport Board, which was established in 1933, and His ...

, and

Ofcom The Office of Communications, commonly known as Ofcom, is the government-approved regulatory and competition authority for the broadcasting, internet, telecommunications and mail, postal industries of the United Kingdom. Ofcom has wide-rang ...

separately announced that they had been affected, with Ofcom announcing that personal and confidential information was downloaded. On June 15,

CNN Cable News Network (CNN) is a multinational news organization operating, most notably, a website and a TV channel headquartered in Atlanta. Founded in 1980 by American media proprietor Ted Turner and Reese Schonfeld as a 24-hour cable ne ...

reported that the

United States Department of Energy The United States Department of Energy (DOE) is an executive department of the U.S. federal government that oversees U.S. national energy policy and energy production, the research and development of nuclear power, the military's nuclear w ...

was among multiple United States government organizations affected by the MOVEit vulnerability. The following day, it was reported that the

Louisiana Louisiana ( ; ; ) is a state in the Deep South and South Central regions of the United States. It borders Texas to the west, Arkansas to the north, and Mississippi to the east. Of the 50 U.S. states, it ranks 31st in area and 25 ...

Office of Motor Vehicles and

Oregon Oregon ( , ) is a U.S. state, state in the Pacific Northwest region of the United States. It is a part of the Western U.S., with the Columbia River delineating much of Oregon's northern boundary with Washington (state), Washington, while t ...

Driver and Motor Vehicle Services were hit, affecting millions of residents.

Responsibility

According to the

Cybersecurity and Infrastructure Security Agency The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cyber ...

and the

Federal Bureau of Investigation The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...

, the breaches are being conducted by Cl0p, a Russian-affiliated cyber gang.

Impact

A running total maintained by cybersecurity company

Emsisoft Emsisoft Ltd. (est. 2003) is a New Zealand-based anti-virus software distributed company. They are notable for decrypting ransomware attacks to restore data. History Emsisoft is an anti-malware and cybersecurity software and consulting compan ...

showed that more than 2,500 organizations were known to have been impacted as at October 25, 2023, with more than 80 percent of those organizations being US-based.

Response

(CISA),

CrowdStrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of seve ...

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

, Huntress and Rapid7 have assisted with incident response and ongoing investigations. Cyber industry experts have credited the

team for its response and handling of the incident by quickly providing patches In general, patches for the flaw were rapidly used.

References

{{Hacking in the 2020s 2023 in computing Progress Software Computer security exploits Cyberattacks Data breaches Hacking in the 2020s Software bugs