Threat Trends | 6 mins

MOVEit Breach: Timeline of the Largest Hack of 2023

The MOVEit vulnerability was first leveraged on May 27, 2023. By October 2023, over 2,000 organizations had fallen victim, impacting an estimated 60 million individuals. The financial toll, amounting to approximately $9.93 billion, earned it the title of the 'largest hack in recent history' just three months after it was initially leveraged.

Uncovering MOVEit

The vulnerability involves an SQL injection (SQLi) flaw that can be leveraged for Remote Code Execution (RCE). In simpler terms, it allows unauthorized users to gain remote access to the MOVEit server environment without authentication. Attackers can exploit this flaw by deploying webshells or malicious scripts on MOVEit servers.

As outlined by OWASP, SQL injection attacks can lead to several critical consequences:

  1. Confidentiality: SQL databases typically contain sensitive data, and SQL Injection vulnerabilities often result in the loss of data confidentiality.
  2. Authentication: In cases where inadequate SQL commands are used to authenticate users, attackers may potentially gain access to a system as another user without requiring prior knowledge of their password.
  3. Authorization: When authorization details are stored in a SQL database, exploiting a SQL injection vulnerability successfully could allow an attacker to manipulate this information.
  4. Integrity: Beyond reading sensitive information, SQL injection attacks can also enable attackers to modify or delete data, compromising its integrity.

 You can find out more in our vulnerability alert below.

Timeline of Key Events

  • May 28: During the Memorial Day weekend, Progress software was alerted by a customer who reported unusual activity in their MOVEit environment.
  • May 31: Progress discloses a zero-day vulnerability in MOVEit, affecting both on-premises and cloud-based versions of the service. Progress issues a patch for on-premises versions and patches cloud test servers.
  • June 1: Multiple threat intelligence firms share evidence of active exploits of the zero-day vulnerability and indicators of compromise.
  • June 2: The zero-day vulnerability is assigned CVE-2023-34362 with a severity rating of 9.8. Mandiant attributes the attack to a threat cluster with unknown motives. Velociraptor releases an artifact to detect exploitation of MOVEit File Transfer's critical vulnerability.
  • June 4: Microsoft attributes the series of attacks to Clop.
  • June 5: Major organizations like the BBC and British Airways come forward - they were entangled in a web of supply chain attacks initiated by the UK third-party payroll supplier, Zellis. The breach was confirmed as originating from MOVEit Transfer, leading to eight confirmed data compromises.
  • June 6: Clop ransomware group claims responsibility for exploiting the MOVEit vulnerability, exfiltrating data from hundreds of organizations.  The ransomware group claimed to have stolen the data of “hundreds of companies” - and went so far as to not contact each company individually but to post a blackmail message on its dark web site inciting breached companies to get in touch or to face their data being leaked. Clop sets a June 14 deadline for victims.
  • June 7: CISA and the FBI release a joint advisory, providing recommendations for organizations at risk of compromise and offer a reward of US$10 million for “information linking the Clop gang or any other malicious cyber actors targeting US critical infrastructure to a foreign government”.
  • June 9: Progress Software issued an updated advisory, introducing a patch for a second MOVEit Transfer Vulnerability (CVE-2023-35036) discovered during a third-party code review by Huntress.
  • June 14: Clop does not leak any data but does start posting the profiles of allegedly breached companies.
  • June 15: Progress uncovers a fresh vulnerability, CVE-2023-35708, and issues an advisory.
  • July 6: Progress reveals three more CVEs for MOVEit Transfer. CVE-2023-36934 is a critical unauthenticated SQL injection flaw, CVE-2023-36932 is a high-severity SQL injection vulnerability that could potentially grant access to the MOVEit Transfer database for authenticated attackers, and CVE-2023-36933 is an exception handling issue capable of crashing an application.
"Furthermore, it is important to note that file-transfer tools, including MOVEit, have become attractive targets for cybercriminals due to the potential to exploit vulnerabilities in enterprise solutions. Similar attacks have been observed, such as the exploitation of GoAnywhere MFT, emphasizing the prevalence of these types of threats."

Olivier Beg, 2023

Remediation Challenges 

  1. Low Supply Chain Visibility: This incident serves as a stark reminder that understanding the full impact of a supply chain incident requires visibility not only over your third-parties but also their third-parties, creating a complex web of interconnected risks. As more information becomes available about the breach, the scope of affected organizations will likely expand, revealing the true extent of this supply chain security issue.
  2. Sprawling Attack Surfaces Creating Problems for Patching: Progress Software did ensure customers received timely patches for all reported vulnerabilities between May 31 and June 16. However, despite these efforts and the known exploitation of the vulnerability by Clop, breaches continued. Complexity has arisen from the vast array of victim organizations, data types, and the involvement of third parties or vendors, making response efforts take longer. 

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example

Recommendations

Organizations should make updating their MOVEit Transfer to the latest patched versions a priority. In cases where immediate updates are not feasible, implementing firewall rules to disable HTTP(s) traffic on ports 80 and 443 can provide temporary relief. Network segmentation can also be useful to isolate critical systems, limiting potential compromises and lateral movement. 

Additionally, engaging with vendors and exploring incident response services will enhance readiness in the case of further supply chain attacks. Best practices also include maintaining an accurate and up to date inventory of all software versions and dependencies. For more vulnerability management strategy recommendations reach out to our team of experts.

Newsletter sign up

Get insights directly to your inbox

Subscribe to our newsletter for blog recaps, fresh tips, insights, and resource downloads.

Newsletter Example