Supply chain
β Supply Chain
HIPAA Journal / BleepingComputer / SEC 8-K filing
Primary Source βIncident Details
Maximus Inc. (US government contractor managing Medicare, Medicaid, student loan programs) was the largest single victim of Cl0p’s MOVEit campaign. SEC 8-K filed July 26 2023 disclosing 8-11M individuals’ PHI exposed. $15M remediation expenses recorded Q2 2023. Data included SSNs, PHI used for government program eligibility. CMS reported 2.34M Medicare beneficiaries affected. Maximus holds contracts with HHS, DOE, DOL. Class action litigation filed.
Technical Details
- Initial Attack Vector
- CWE-89: SQL Injection in MOVEit Transfer web application (zero-day)
- Vendor / Product
- Progress Software MOVEit Transfer / Maximus government services
- Software Package
MOVEit Transfer- Malware Family
- LEMURLOOT web shell
- CVE / GHSA References
- CVE-2023-34362
- Supply Chain Attack
- β Confirmed third-party / vendor compromise
Timeline
- 2023-05-27 Breach occurred
- 2023-07-26 Publicly disclosed
- 2023-08-01 Customers notified