Skórzewiak - stock.adobe.com

Extreme Networks emerges as victim of Clop MOVEit attack

Network equipment and services supplier Extreme Networks has revealed its instance of Progress Software’s MOVEit tool was compromised in the ongoing Clop cyber attack

Extreme Networks has disclosed that it is the latest technology company affected by the fast-developing MOVEit cyber attack, with downstream customers of the network hardware and services supplier potentially at risk of having had their data stolen by the Clop (aka Cl0p) cyber extortion operation.

In a message published on Wednesday 7 June, Extreme Networks CISO Philip Swain said: “We recently learned that our instance of the Progress Software MOVEit Transfer tool was impacted by a malicious act. We took immediate action, employing our security protocols, and have contained impacted areas.

“Our investigation is ongoing, and if it is determined customer information has been impacted, we will communicate directly with those customers and disclose all relevant information,” said Swain.

The disclosure came after Computer Weekly’s sister title LeMagIT contacted Extreme Networks on Tuesday 6 June, having learned of an instance of the affected managed file transfer service, MOVEit Transfer, associated with Extreme Networks’ domain. This instance was supposedly exhibiting behaviour symptomatic of the CVE-2023-34262 exploit chain.

Later the same day, the instance was found to be unresponsive and appeared to have been disconnected from the public internet. Extreme Networks had not responded to LeMagIT’s request for clarification at the time of writing.

CVE-2023-34262 is a SQL injection vulnerability in MOVEit transfer that Clop has apparently been working on weaponising for a considerable length of time. It is the latest in a series of file transfer products to have been compromised by Clop and turned against their users.

To date, the highest profile victim of the prolific cyber gang’s new wave of attacks has been Zellis, an HR and payroll software supplier.

A number of Zellis customers, including the BBC, Boots and British Airways, have had their employee data exfiltrated by Clop, which is currently demanding the victims make contact with it by 14 June to negotiate a ransom.

In poorly worded statements posted to its leak site, Clop has previously implied that if an organisation uses MOVEit Transfer, there is a high chance it has obtained their data.

Over 2,000 known instances of MOVEit Transfer were exposed to the internet at the point of disclosure, and it is not possible to put a figure on how many impacted customers those organisations may have.

Given how the exploit has been used, the addition of Extreme Networks to the list will be of concern to its 50,000 worldwide customers, although at the time of writing, there is no evidence to show that any of them have been compromised.

Extreme Networks has a particularly strong presence in the sports and entertainment sector, with UK customers including Premier League sides Liverpool and Manchester United.

UK victims in demand

Cybersixgill, an Israel-based threat intelligence specialist, said that in the past few days, its research team had uncovered multiple posts on dark web forums specifically requesting data on UK-based victims, with one offering up to $100,000, although they specifically referenced Zellis customers.

In emailed comments, Cybersixgill told Computer Weekly that the threat actor had additionally claimed that the data would be used “by a team dedicated to leveraging UK-sourced data”.

Read more about the MOVEit incident

Read more on Data breach incident management and recovery