Extortion Group Clop’s MOVEit Attacks Hit Over 130 Victims – Source: www.databreachtoday.com

3rd Party Risk Management
,
Fraud Management & Cybercrime
,
Governance & Risk Management

Known Victims Now Include New York City Schools, UCLA and Multiple PBI Customers

Mathew J. Schwartz (euroinfosec) •
June 27, 2023    

Editor’s note (June 28, 2022 08:30 UTC): This story has been updated to add more victim and attack details.

See Also: Live Webinar | The Secret Sauce to Secrets Management

The tally of organizations affected by the Clop ransomware group’s supply chain attack against users of Progress Software’s popular MOVEit file transfer software continues to grow.

“As of today, 108 organizations including seven U.S. universities have been listed by Clop and/or disclosed being impacted by MOVEit,” Brett Callow, a threat analyst at Emsisoft, tweeted late Monday.

As of Wednesday morning, cybersecurity research firm KonBriefing reported that at least 131 organizations appear to have been impacted.

Clop’s campaign exploited a zero-day vulnerability in the MOVEit file transfer software to steal data. A majority of the attacks appear to have been launched on May 27 and May 28, apparently timed to coincide with the long Memorial Day holiday weekend in the United States.

Progress first released patches for supported versions of MOVEit on May 31 to fix the exploited flaw, designated CVE-2023-34362. As of June 15, Progress had patched two more zero-day vulnerabilities, although these don’t appear to have been exploited by criminals.

Prior to the initial zero-day vulnerability being patched, attackers stole data from victim organizations, comprising personal information for millions of individuals. Clop quickly claimed credit for the attacks. While the group has used crypto-locking malware against past targets, its MOVEit campaign only appears to involve data exfiltration. This also was the case with the group’s zero-day campaign earlier this year targeting users of the GoAnywhere file transfer software.

More Victims Come to Light

MOVEit counts thousands of users worldwide, and more victims may well still come to light. “We leak names slowly to give big companies time to contact us,” Clop says on its data leak site. Many ransomware groups list victims on these sites who haven’t paid a ransom, to try and pressure them into paying.

Clop on Monday listed UCLA as one of its MOVEit victims. “UCLA uses MOVEit Transfer to transfer files across the campus and to other entities,” a university spokesperson told Information Security Media Group. UCLA discovered the attack on June 1, launched an investigation and has now notified all impacted individuals. It declined to specify what information was exposed or how many individuals have been impacted.

On Saturday, New York City reported that cybercriminals had stolen personal information pertaining to approximately 45,000 students, as well as staff members and service providers.

While the city’s probe is ongoing, its Department of Education said in a data breach notification that “roughly 19,000 documents were accessed without authorization,” which exposed 9,000 Social Security numbers and an unspecified number of employee ID numbers.

“Individuals will be offered access to an identity monitoring service,” the city said. Both the FBI and New York Police Department are investigating the attack.

On Friday, the Superannuation Arrangements of the University of London, known as SAUL, began informing at least some of its more than 68,000 members that their personal details were exposed. More than 50 universities use SAUL.

On June 19, Software development giant Informatica reported that “some files uploaded to our technical support FTP server” between May 21 and June 1 were obtained by attackers who exploited the MOVEit flaw.

Other known victims of Clop’s campaign include oil and gas giant Shell, U.S. financial services firms 1st Source and First National Bankers Bank, The Boston Globe, the government of Canadian province Nova Scotia, U.K. media watchdog Ofcom, British payroll provider Zelle – and by extension eight of its customers, including the BBC, the Boots pharmacy chain and British Airways – and multiple U.S. government agencies, including the Department of Energy.

A group of Louisiana residents whose personal details were exposed when the state’s Office of Motor Vehicles fell victim have filed a lawsuit against Progress Software in federal court, seeking class action status.

Service Provider Customers Affected

PBI Research Services, which helps financial services firms identify policyholders who have died and locate beneficiaries, also fell victim. Attackers stole data stored on behalf of its customers.

The data theft has led to multiple breach notifications from PBI customers, including Genworth Financial, which reported that attackers had stolen from PBI personal information for up to 2.7 million of its customers and agents. PBI uses the California Public Employees’ Retirement System, which manages the largest public pension fund in the U.S. It said nearly 770,000 members’ personal information had been stolen from PBI. Wilton Reassurance Co. reported that personal information for 1.5 million customers, including their Social Security numbers, had been stolen.

Some of the organizations that have reported falling victim to the MOVEit attacks may never see their stolen data listed by Clop. The group has been bending over backward to claim that any government data it steals is quickly deleted, and on its data leak site it claims that it has a purely financial – not political – agenda.

Clop claims that as part of the MOVEit campaign, it has deleted government data it stole from 30 organizations, including government agencies. The Russian-speaking ransomware group could of course have already sold anything of interest to foreign intelligence services.

June 28, 2022 08:30 UTC: This story has been updated to clarify that Progress Software first released updated versions of MOVEit to patch CVE-2023-34362 on May 31; with the latest count of known victims; and with additional details pertaining to known victims.