Data Breaches from MOVEit Zero-Day Still Piling Up – Source: securityboulevard.com

Cybercrime groups exploiting the zero-day flaw in the MOVEit managed file transfer software linked to the Cl0p ransomware gang continue to rack up victims, with the National Student Clearinghouse non-profit group and the BORN Ontario perinatal and child register in Canada both claiming data breaches linked to the widely abused vulnerability.

Clearinghouse, in a breach notification letter sent to the California Attorney General’s Office, said that 890 educational systems were effected by the cyberattack on May 30, with the hackers stealing files that included such personal information as names, dates of birth, contract information, Social Security and student ID numbers, and school records regarding enrollment, degrees, and courses.

The data stolen varies from one victim to another, according to Clearinghouse. The data that was affected by this issue varies by individual.

The 30-year-old organization that counts 3,600 universities and colleges and 22,000 high schools as customers of its educational reporting, verification, and research services. About 97% of students in private and public colleges and universities and 70% of high school students are enrolled in those schools.

In the letter, the U.S. education organization said Progress Software, the developer of the MOVEit transfer tool, on May 31 alerted Clearinghouse to the intrusion the next day. Clearinghouse began an investigation and notified law enforcement agencies.

“We have implemented patches to the MOVEit software pursuant to Progress Software’s instructions and put in place additional monitoring measures to further protect our systems and your data,” the organization said in the letter, which it sent to affected organizations and individuals.

Data of 3.4 Million People Stolen

Meanwhile, BORN (Better Outcomes Registry and Network) Ontario updated the information related to a May 31 data breach launched via MOVEit that led to files that include personal health information of about 3.4 million people being copied. Most of the individuals whose information was stolen were seeking pregnancy care and newborns who were born in Ontario between January 2010 and May, the organization said in an incident statement.

Those most likely to be affected by the breach include people who gave birth or had a child born in Ontario between April 2010 and May, received pregnancy care between January 2012 and May, or had in-vitro fertilization or egg banking between January 2013 and May.

BORN gathers data from healthcare providers, labs, and hospitals, analyzes the data about pregnancy and newborn care, and packages its for healthcare providers to use to improve care, inform decisions, and drive research.

“At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes,” BORN Ontario wrote. “We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale.”

Like Clearinghouse and other victims, BORN Ontario isolated the impacted server, began an investigation, and notified law enforcement.

List of MOVEit Flaw Victims is Growing

Clearinghouse and BORN Ontario join a rapidly expanding group of private organizations and government agencies that have sustained data breaches though the MOVEit software, which is used to automate and secure the transfer of data files for thousands or

In its latest count, cybersecurity firm Emsisoft said 2,054 organizations and more than 62 million individuals have been affected by threat groups exploiting the vulnerability – tracked as CVE-2023-34362.

“It was a vulnerability which could enable hackers to access MOVEit and steal data – something which it later emerged had been happening since at least May 27th,” Emsisoft wrote.

Progress between May 31 and June 15 issued three patches and the Cl0p group admitted to attacking the MOVEit platform.

“The upstream/downstream in many MOVEit incidents is extremely complex, with some organizations being impacted because they used a vendor which used a contractor which used a subcontractor which used MOVEit,” the security firm wrote. “Additionally, some organizations have had MOVEit exposure via multiple vendors.”

Security Experts: Apply the Patches

Cybersecurity pros told Security Boulevard that organizations need to apply the patches from Progress now. Darren Guccione, co-founder and CEO of Keeper Security, said that news of more organizations getting compromised by the MOVEit flaw “should serve as a wakeup call to every organization that this serious zero-day vulnerability must be remediated immediately.”

Guccione added that organizations in general should be proactive about regularly updated software and immediately patching vulnerabilities that are being exploited in the wild.

John Bambenek, principal threat hunter with Netenrich, noted that both the flaw – which is actively being exploited by several threat groups – and the patch have been known for four months.

“There is a long tail of figuring out if you had been victimized,” Bambenek told Security Boulevard. “For organizations still using a vulnerable version of MOVEIt, the most important thing they should do is fire the CISO because there is no excuse for not having remediated it by now.”