Cyber Incident Victim: Extreme Networks

Extreme Networks became aware that its instance of the Progress Software MOVEit Transfer tool was impacted by a malicious act. The company learned of this security breach on or around June 7, 2023. The specific nature of the malicious act was not detailed, but it was part of a broader, widespread exploitation of a zero-day vulnerability within the MOVEit file transfer application that was discovered and publicly disclosed by Progress Software in late May 2023. This vulnerability, identified as CVE-2023-34362, was a critical SQL injection flaw that allowed unauthorized attackers to gain access to MOVEit Transfer databases. Threat actors, subsequently identified as the Clop ransomware group, exploited this vulnerability to infiltrate the systems of numerous organizations worldwide that utilized the software for secure file transfers.

Upon discovery, Extreme Networks took immediate action by employing its established security protocols. The primary response was to contain the areas that were impacted by the breach. This containment effort was a crucial first step to isolate the affected systems and prevent any further unauthorized access or exfiltration of data. The company’s investigation into the incident commenced immediately and was described as ongoing at the time of the initial announcement. The focus of this investigation was to determine the full scope of the compromise, including which systems were accessed and what specific data was potentially taken by the threat actors.

The core of the incident revolved around the MOVEit Transfer application, which is typically used for secure internal and external file transfers. The compromise of this system presented a significant risk because such platforms often contain sensitive information. The impacted instance was a part of Extreme Networks' own corporate infrastructure. The company's announcement was deliberately cautious, stating that if the investigation determined customer information had been impacted, direct communication with those affected customers would follow. This statement indicated that the compromise had the potential to involve third-party data belonging to Extreme Networks' clients, which is a common consequence when a secure file transfer platform is breached.

The public disclosure was made by Philip Swain, the Chief Information Security Officer of Extreme Networks, through a post on the company's community forum. The announcement was factual and concise, acknowledging the event and the initial response without providing specific technical details about the attack vectors or the extent of the intrusion. The company’s commitment was to disclose all relevant information to customers should their data be found to be involved. The response actions followed a standard incident response lifecycle, beginning with detection and initial analysis, moving swiftly to containment to limit damage, and proceeding with a thorough investigation to assess the impact and scope. The containment phase successfully halted the immediate threat, allowing the investigation to proceed in a controlled environment. The consequences of the incident were initially undefined, pending the outcome of the forensic investigation. The potential impacts included the unauthorized access and exfiltration of sensitive corporate or customer data, which could lead to secondary threats such as targeted phishing campaigns, extortion attempts, or compliance violations depending on the type of data involved. The company's priority was to complete its investigation to accurately determine these consequences and fulfill its obligation to notify any affected parties in accordance with regulatory requirements.