CCleaner confirms that hackers have captured customers’ personal data. The theft occurred in May when the vulnerability in MOVEit was allegedly first exploited. This adds a new name to the ever-lengthening victim list.
Cybersecurity experts identified the first exploits of the MOVEit vulnerability in May 2023. MOVEit is file transfer software that many business environments rely on. The software encrypts files during transmission, like WhatsApp, for example, to prevent breaches.
In May, however, it was revealed that the security of the software had been affected by vulnerability CVE-2023-34362. This exploit allows a malicious actor to perform an SQL injection within the software, allowing that actor to escalate his or her privileges and siphon off data. As so often, it is a matter of moving laterally within a network once a vulnerability is exploited to do major damage. Researchers claim that CL0P is behind the exploitation, and the ransomware gang supports that statement. The researchers describe the organization as “a Russian cybercriminal gang specializing in ransomware hack”.
Biggest hack of 2023
CCleaner now confirms that the vulnerability captured personal data from their customers. Its parent company, Gen Digital, notified users with an email that is now circulating on social media. “The information deals only with name and/or contact details, along with information about the product you bought from us. No bank details, credit card information or high-risk information such as login credentials were stolen,” the company stated.
It is not known how many users of the cleaning software fell victim. A Gen Digital spokesperson stated to TechCrunch that it would be less than two percent of the software’s users. The spokesperson further clarified that the contact information deals with phone numbers, e-mail addresses and residential addresses.
A long list of victims precedes CCleaner. In fact, MOVEit has become the largest hack of 2023 in the size of victims. The counter is currently said to be around 2,500 companies, according to analysts. Since the files transferred via the MOVEit software always contain personal information, the number of individual victims remains much higher. It is estimated that the number here is between 65.4 and 70.2 million.
Victims in the Benelux
Within the Benelux, CL0P was able to steal data from twelve companies. In Belgium, Toyota Boshoku Europe, which has a headquarters in Zaventem, was penetrated. The number of Dutch victims stands at ten. TomTom, Landal, Shell, ING, and TenneT are known cases in this country.
Read also: MOVEit attack hits 200+ organisations, but its impact is often unclear
While it does look like CCleaner is falling behind with the announcement of the data breach, it is not necessarily the last we will hear about MOVEit. For example, an investigation into a cyber incident may still be in process, which means reportage is delayed. We should be able to rule out a new breach since several patches to fix the vulnerability appeared. Therefore, a new incident may only occur in companies that failed to update the software in the meantime.