MOVEit vulnerability

[Tandalaya]

I got an email supposedly from CCleaner that the  MOVEit vulnerability     had gained access to ccleaner and my info. They asked me to protect myself by clicking on a link and following instructions.  A scam?  Has ccleaner had such a problem?

Thx

[nukecad]

*EDIT3 Friday 27 Oct 12:40 UCT-

It has now been confirmed that this "MOVEit" email is indeed genuine. and is from CCleaner.

See the post from Gyathri CCleaner below:
https://community.ccleaner.com/topic/65717-moveit-vulnerability/#comment-345112

I strongly suggest that you use haveIbeenpwned to check if/which of your email addresses have been harvested by the bad guys.

You should abandon (and then delete if you can) any email addresses that haveIbeenpwned says have been compromised in a data breach.
Yes it can be a pain to inform all your contacts of your changed address, but if the address has been compromised then it's better safe than sorry.
https://haveibeenpwned.com/

If you don't use a password manager then I advise checking your passwords for any breaches too.
Again if you find that any have been collected in a data breach change them and don't use them again.
https://haveibeenpwned.com/Passwords

I check all my emails and passwords at least once a month, just in case.

 

More about the MOVEIt malware that appears to have been involved here, for anyone who wants to know what it is:~
https://www.malwarebytes.com/blog/news/2023/06/update-now-moveit-transfer-vulnerability-actively-exploited

[nukecad]

@Tandalaya

I have just checked for you the email address that you used to register with this forum.

haveIbeenpwned says that it has been harvested in 13 seperate data breaches,  over the past 10 or so years, so you may want to stop using it.

Check there yourself for more details of the breaches that it has been harvested from.

[APMichael]

The email seems to be probably genuine:

https://www.heise.de/news/MOVEit-Sicherheitsluecke-Auch-Kunden-von-CCleaner-betroffen-9345032.html

(Report from a trusted German website.)

[nukecad]

Interesting, that is saying that it has been sent by CCleaner because a CCleaner server was compromised by the MOVEit vulnerability.

That is not something that I have heard about.

I still would not trust it until we get clear confimation, or denial, from the CCleaner staff.

We are waiting for a response from them.

[Mike27Lucy]

Thanks for the info Nukecad.  If it is genuine, then I find it disappointing to be let down by Piriform/CCleaner.  I've been receiving a lot of unpleasant stuff to my phone via text that only just started in the past couple of months as well as an increase in spam phone calls.  It now makes me wonder if this breach is the source.

[lmacri]

From the 26-Oct-2023 Cybernews article CCleaner Confirms Data Breach via MOVEit Attack :

Quote

We contacted CCleaner, and the company confirmed that it indeed sent out emails to affected individuals. The company told Cybernews that low-risk employee data, as well as some customer data, was impacted...“During continued due diligence, we found some of our customers’ personal information, such as name, email address and phone number, was also impacted,” the company said.  CCleaner’s representative said it will offer affected individuals complimentary dark web monitoring services....

------------
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.3570 * Firefox v119.0.0 * Microsoft Edge v118.0.2088.69 * Microsoft Defender v4.18.23090.2008-1.1.23090.2007 * Malwarebytes Premium v4.6.5.293-1.0.2181 * Macrium Reflect Free v8.0.7690 * CCleaner Free Portable v6.17.10746

[hazelnut]

Despite us mods asking admins about this we got no feedback at all.

Doesn't inspire people to use CCleaner or the rest of the Piriform software does it.

[nukecad]

Thanks @lmacri

I see that according to that Cybernews article I have supposedly had a promotion to Admin . I guess it reads better that way.
Even If I did initially give the wrong advice because of a lack of information.

Admin or not; as (unpaid) mods here on the forum we are on the front line of company support; and I for one am pretty irate that we were given no information at all about this breach, or simply a 'heads up' a warning that such emails were going to be sent out.

If we had had such a warning then we could have given the correct information from the start.

As Hazelnut says we have still had no feedback at all from the Piriform staff, and so we are currently relying on second hand information from web articles like the Cybernews one.

[Gayathri CCleaner]

Hi Everyone, We’re reaching out to help address some of the questions here. First, we can confirm that the email you received was valid and not a phishing scam. As part of the MOVEit incident, some customer information, such as name, email address and phone number, was impacted. Our systems are secure and operational, and the cause of this was addressed immediately when the MOVEit incident was discovered. While this information is not considered high risk, we take the safety of our customers extremely seriously. The best way to protect yourself is being vigilant against any potential phishing threats using this. Should you have questions related to your personal account, you can always reach out to our support team. You can also find more information about the Progress Software MOVEit vulnerability here.

[hazelnut]

Perhaps it was leftover from the parent company (GenDigital) when they were caught out with MOVEit ransomware  in June 

Quote

Gen Digital Inc. (formerly Symantec Corporation and NortonLifeLock) is a multinational software company that provides cybersecurity software and services. 

The company owns multiple brands, including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.
Gen Digital said it 

https://securityaffairs.com/147739/cyber-crime/gen-digital-moveit-ransomware-attack.html

[Montezuma]

I have mereged this from a seperate thread to here, so that the replies about these emails are all together and easily found. - Nukecad.

This may sound odd, BUT, I recently received a strange e-mail, supposedly from CCleaner, stating that my personal data had been compromised, and that I was now featured on the dark web.

In order to verify that this was indeed from CCleaner, and not some sort of attempt at a scam, or other fraud, I made enquires via the official CCleaner web site using the form provided.

I duly received a response saying that the message was genuine, and an offer was made of a 6 month free trial of a programme called BreachGuard.

I am still not entirely happy with this situation, nor am I convinced that any of this is genuine.

The responding message originated in Manila, in the Philippines, and as far as I know,  CCleaner's offices are in London and the US ?

I have also checked all my current e-mail addresses, via "Have I been pwned". There was no indication that any of my addresses had been compromised.

Has anybody else experienced this situation ?

If so, what action should I take ?

I guess that I am just paranoid about on-line security !

Any advice would be appreciated.

 

[nukecad]

Yes this is genuine.

But you are right to double check if not sure.

(PS. the CCleaner support is based in the Phillipines).

It is good that haveIbeenpwned shows you as clear, but you may want to check again in a week or so. (I check my emails and passwords there at least once a month).

Please see the post above from Gayathri CCleaner.

[Montezuma]

Thanks for that.

I wonder do you know when the relevant hack took place.

Looking though the various incidents detailed via Google, there seems to be a degree of confusion, as to which hack was responsible for this info being available on the dark web ?

Surely we are not referring to the hack that took place back in 2017 ?

I have only been using CCleaner since earlier this year, so hopefully anything from an earlier time would not be a problem for me ?

I have run all my important passwords through  the password pwnd gizmo, and all seems to be OK.

I will take your advice and run checks further down the road.

[nukecad]

@Montezuma

No, this has nothing to do with the 2017 hack of CCleaner.

This is a new, 2023, 'data breach' (not a 'hack' although that word is often used in the media to cover lots of different things).

This is a new'ish data theft involving the 'MOVEit Transfer' software that is used by many large organisations and companies.
Many of those large organisations and companies were affected by it to a lesser or greater extent.

I've been looking at the timeline and from what I can find so far:

• The company that owns the 'MOVEit' software first reported finding the vulnerability in their system at the end of May/beginging of June 2023.
• Steps were taken to close down the vulnerabulity.
• The company that owns CCleaner (Gen Digital) reported at the end of June 2023 that they had been affected, and they  (may have) had data stolen.
  At that time it was thought that only employee data had been taken, and that no customer data had been accessed.
• More checking has been done and CCleaner is now informing some users, by email, that their data may have been breached/stolen.

We haven't been told just how many CCleaner users have been sent these emails, or if any more will be sent out.

NOTE that this is not an infection, it is not something that is 'on your machine' at all.
But do run a scan with Windows Security/Windows Defender, or any other antivirus/antimalware app you have, if you want to reassure yourself of that.

What has happened is that some of your details, such as your email address, may have been stolen, and so may now be shared by spammers, scammers, con artists, and other bad guys.
This means that you should be extra careful/wary of any emails that may now be sent to that email address, and should check carefully any that you are not sure about.
TBH you should already always be being careful about all emails that you get anyway.

Using havibeenpwned is a good way to check if you email (or passwords) have been stolen and shared in that way - either from this breach of from one of the many, many, other data breaches that do happen.
It's free to check them at anytime that you want to check, here are the haveIbeenpwned links again:
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords

Those who do get an email from CCleaner are being offered Avast BreachGuard for 6 months for free, once set up that will automatically keep checking the web to see if your email etc, turns up on any lists.

[hazelnut]

@Montezuma

Note here also (Avast as you will know is part of the GenDigital company, which also includes CCleaner Norton, Avast, LifeLock, Avira, AVG, ReputationDefender )

https://forum.avast.com/index.php?topic=325259.0

https://forum.avast.com/index.php?topic=325231.0

[Montezuma]

I am now fully up to speed on this topic, thanks to blokes who are a tad more knowledgeable about such things than I am.

However, I am even more paranoid, about internet security, than ever.

Is nothing sacred, . . . . . . or secure ?

I may well take up the offer, of BreachGuard for a 6 month free trial.

[nukecad]

Just to note that I believe that the free Avast BreachGuard will be on a automatic subscription basis.

If I am right about that then you can think of it as a special '6 month free trial' for those who have been affected - and you will need to cancel the automatic subscription at (or before) 6 months if you don't want to keep it and automatically pay for it.

[CSGalloway]

I have been pwned -  3 different sources.  so what do I need to do to get the "free Avast BreachGuard" ??

[nukecad]

6 hours ago, CSGalloway said:

I have been pwned -  3 different sources.  so what do I need to do to get the "free Avast BreachGuard" ??

The free offer is for those who have had the MOVEit breach email from CCleaner - if that includes you then you will get a further email about getiing/installing the offer.

The free offer is not just for anyone who happens to have been pwned in some other, unrelated, breach.

Note that Avast BreachGuard will not prevent you being pwned in a data breach, nothing you can install on your devices could do that.
What it does is check the web to tell you if your details subsequently appear of a list after you have been pwned.
In other words it can only tell you after it's already happened.

 

TBH I don't need something to tell me that,
Data Breaches are a fact of life these days and so I just assume that it has happened to some of my data at sometime, act accordingly, and check havibeenpwned regularly.
You have now checked and found that some of yours has been breached 3 different times now, and no doubt will be again at sometime.

When (not if) you find something of yours has been pwned then you change it or abandon it and move on.
If it's an email address and you can't abandon it, or don't want to, then you be careful about what you recieve there because you know that it has been involved in a breach so some spammer/scammer/con artist may now have got hold of it.

[CSGalloway]

it is my main Gmail address - which i also use for Google chat.  IOWs it's not one I can switch to another one.  would changing my password help or what else please?  Any other advice?

5 hours ago, nukecad said:

The free offer is for those who have had the MOVEit breach email from CCleaner - if that includes you then you will get a further email about getiing/installing the offer.

The free offer is not just for anyone who happens to have been pwned in some other, unrelated, breach.

Note that Avast BreachGuard will not prevent you being pwned in a data breach, nothing you can install on your devices could do that.
What it does is check the web to tell you if your details subsequently appear of a list after you have been pwned.
In other words it can only tell you after it's already happened.

 

TBH I don't need something to tell me that,
Data Breaches are a fact of life these days and so I just assume that it has happened to some of my data at sometime, act accordingly, and check havibeenpwned regularly.
You have now checked and found that some of yours has been breached 3 different times now, and no doubt will be again at sometime.

When (not if) you find something of yours has been pwned then you change it or abandon it and move on.
If it's an email address and you can't abandon it, or don't want to, then you be careful about what you recieve there because you know that it has been involved in a breach so some spammer/scammer/con artist may now have got hold of it.

 

[nukecad]

Using havibeenpwned is a good way to check if you email, or passwords, have been stolen in a data breach and shared - either from this breach of from one of the many, many, other data breaches that do happen.
It's free to check at anytime that you want to check, here are the haveIbeenpwned links again:
https://haveibeenpwned.com/
https://haveibeenpwned.com/Passwords

If it's your password(s) that has been pwned - those are easily changed to prevent anyone using it to login to your accounts.

With a pwned email address then it's more a case of your knowing that it's now out there in public - so you may get more spam sent to it, and more sent to it begging for money or scams attempting to con you into something.

If you are going to be keeping that email address - because you don't have to abandon a pwned email address,
But you do have to be more careful of anything you receive at that address - you should always be being careful anyway.

The other problem that you might face with a pwned email is someone pretending to be you to people on your contacts list by faking emails as being from you.
Of course to do that they also have to have had access to your contacts list at some time.
Whilst it does happen it's not common, because they would have to have both your email address and your contacts list.

If you are keeping an email that you know has been pwned then you may want to inform your contacts who have that email address, so that they can be careful of any emails supposedly coming from it which might not be from you but may be fakes.

In the end having your email address pwned in a data breach is not that different from you yourself putting your email in open view where anyone can see it. (Which is why we edit them out of forum posts when we see someone do that).

You can even think of it as being similar to your postal (snail mail) address being put on mailing lists and shared, so that you get more advertising letters and 'please support/donate to ....' letters  and leaflets sent to it through the post.
Whilst we all accept that that happens with our postal addresses, we like it less when it happens with email addresses, simply because we tend to think of emails as being more private.
The answer in both cases is of course to spot which is the junk mail, ignore it and throw it away.
(Or change your address- that's much easier to do with an email address than moving house would be).

[EdCo]

Dear nukecad,

You have the most detailed solutions about this topic, but about that e-mail check on that website you love, idk.

Strange thing is here that i check my main address on that site, and have a green light.

So how is it possible that some not important data from me is leaked on dark web? What data is leaked?

[nukecad]

It does take time for data from breaches to be reported, and for it to turn up for sale.

So until/unless the companies affected tell them just what was taken (obviously companies don't like doing that), or until that data turns up for sale somewhere, it's not going to be listed in a check.

So you do have to check regularly.

That's what the Avast BreachGuard does, it checks regularly for you.

[hazelnut]

This attack happened in May but info is appearing about it now. Have a read of the article and you will see that ccleaner was just one of many attacked by MOVEit.

Quote

The State of Maine has announced that its systems were breached after threat actors exploited a vulnerability in the MOVEit file transfer tool and accessed personal information of about 1.3 million, which is close to the state's entire population.

https://www.bleepingcomputer.com/news/security/maine-govt-notifies-13-million-people-of-moveit-data-breach/