Pierluigi Paganini
October 05, 2023
Sony Interactive Entertainment (SIE) has notified current and former employees and their family members about a data breach that exposed their personal information. Sony notified about 6,800 individuals, it confirmed that the security breach was the result of the exploitation of the zero-day vulnerability CVE-2023-34362 in the MOVEit Transfer platform.
The Clop ransomware gang (aka Lace Tempest) is credited by Microsoft for the recent campaign that exploits a zero-day vulnerability, tracked as CVE-2023-34362, in the MOVEit Transfer platform.
MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.
The vulnerability is a SQL injection vulnerability, it an be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.
“a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database.” reads the advisory published by the company. “Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.”
The vulnerability affects all MOVEit Transfer versions, it doesn’t affect the cloud version of the product. The company also shared Indicators of Compromise (IoCs) for this attack and urges customers who notice any of the indicators to immediately contact its security and IT teams.
In late June, the Clop ransomware gang added Sony to its list of victims on its leak site.
“We are writing to you as we believe you are a former employee of Sony Interactive Entertainment (“SIE”) or are a family member of a current or former employee of SIE.” reads the data breach notification sent to the impacted individuals.
“On May 31, 2023, Progress Software announced a newly discovered vulnerability in its MOVEit file transfer platform, which is used by SIE and thousands of other enterprises around the world. On May 28, 2023, before Progress Software announced the vulnerability and we became aware of it, an unauthorized actor used the vulnerability to download some SIE files stored on our MOVEit platform. On June 2, 2023, SIE discovered the unauthorized downloads, immediately took the platform offline and remediated the vulnerability. An investigation was then launched with assistance from external cybersecurity experts.”
Once it had discovered the unauthorized downloads, SIE launched an investigation into the security breach and notified law enforcement.
In response to the incident, SIE has increased the monitoring of its systems. The company pointed out that they are not aware of the publication or misuse of the stolen personal information. The company is also offering complimentary Equifax Complete Premier credit monitoring and identity restoration services to the impacted individuals.
In September, Sony announced it was investigating allegations of a data breach after the RansomedVC extortion group claimed to have hacked the company and added the company to its Tor leak site.
“We are currently investigating the situation, and we have no further comment at this time.” Sony said.
The ransomware group published some files as proof of the hack, but it is unclear if the threat actors were able to compromise all the company’s systems.
RansomedVC told BleepingComputer that it has stolen 260 GB of data from Sony’s networks and they are attempting to sell stolen data for $2.5 million.
While RansomedVC claims the hack, another threat actor that goes online with the moniker ‘MajorNelson’ also claims responsibility for the attack and says RansomVC is lying.
MajorNelson leaked a compressed archive of 2.4 GB in size which contains “A lot of credentials for internal systems,” and data related to
At the time of this writing we cannot exclude that Sony has suffered more than a data breach since June.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Clop ransomware)
