Rewterz Threat Update – Gen Digital Confirms Employee Data Breach in MOVEit Ransomware Attack

Severity

High

Analysis Summary

Gen Digital Inc., the parent company of Norton, has fallen victim to a ransomware attack that targeted the recently disclosed MOVEit zero-day vulnerability. Gen Digital is a multinational software company specializing in cybersecurity software and services, owning brands such as Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.

The attack leveraged the MOVEit Transfer vulnerability (CVE-2023-34362) which is a SQL injection vulnerability in the managed file transfer system used by enterprises for secure file transfers via SFTP, SCP, and HTTP-based uploads. The Clop ransomware group, also known as Lace Tempest, has claimed responsibility for the attack and has been credited by Microsoft for exploiting the zero-day vulnerability.

The Clop ransomware gang targeted hundreds of companies globally through the MOVEit Transfer vulnerability and published an extortion note on the dark web, stating that they possess sensitive information from these organizations.

During the attack, the threat actors gained access to the personal information of Gen Digital’s employees, including names, addresses, birth dates, and business email addresses. However, the company clarified that its core IT systems and services remained unaffected, and no customer or partner data was exposed.

“We use MOVEit for file transfers and have remediated all of the known vulnerabilities in the system. When we learned of this matter, we acted immediately to protect our environment and investigate the potential impact. We have confirmed that there was no impact to our core IT systems and our services and that no customer or partner data has been exposed”, told company 

Gen Digital promptly took action to protect its environment, investigate the incident, and notify the relevant data protection regulators and affected individuals. Other notable victims of ransomware attacks exploiting the MOVEit Transfer zero-day vulnerability include the U.S. Department of Energy, British Airways, Boots, the BBC, Aer Lingus, Ofcom, Shell, and the University of Rochester.

Impact

• File Encryption
• Information Disclosure

Indicators Of Compromise

CVE

• CVE-2023-32439
• CVE-2023-32435
• CVE-2023-32434

Affected Vendors

MOVEit

Affected Products

• Progress MOVEit Transfer 13.0.5
• Progress MOVEit Transfer 13.1.3
• Progress MOVEit Transfer 14.0.3
• Progress MOVEit Transfer 14.1.4
• Progress MOVEit Transfer 15.0.0

Remediation

• Refer to Progress Web site for patch, upgrade or suggested workaround information.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Conduct a thorough assessment to determine the extent of the ransomware attack. Identify the systems, files, and data that have been compromised or encrypted by the Clop ransomware. 
• If reliable and unaffected backups are available, ensure they are secure and intact. Disconnect any compromised backup systems to prevent further encryption. Restore data and systems from clean backups once the affected systems have been cleaned and secured.
• Restrict user privileges and implement the principle of least privilege. Users should only have access to the systems and files necessary for their roles, reducing the potential impact of ransomware attacks