Supply chain
β Supply Chain
CISA Advisory AA23-158A / Mandiant / Wikipedia
Primary Source βIncident Details
CL0P ransomware gang exploited a zero-day SQL injection in Progress Software’s MOVEit Transfer MFT product starting May 27 2023. Installed LEMURLOOT web shell to steal data. Over 2,700 organizations and ~93 million individuals affected globally. Major victims: Maximus (8-11M records), Louisiana OMV (6M), Colorado HCPF (4M), Oregon DOT (3.5M), BBC, British Airways, Aer Lingus, University of Rochester. Patches released May 31 2023 but exploitation preceded patch.
Technical Details
- Initial Attack Vector
- CWE-89: SQL Injection in MOVEit Transfer web application
- Vendor / Product
- Progress Software MOVEit Transfer
- Software Package
MOVEit Transfer- Malware Family
- LEMURLOOT web shell
- CVE / GHSA References
- CVE-2023-34362 CVE-2023-35708
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2023-05-27 Breach occurred
- 2023-05-31 Publicly disclosed
- 2023-06-01 Customers notified