The Cl0p ransomware group has publicly disclosed the names of over two dozen organizations allegedly targeted in a campaign exploiting a zero-day vulnerability in the MOVEit managed file transfer (MFT) software.
This cybercriminal gang exploited a vulnerability tracked as CVE-2023-34362 to steal data from organizations using MOVEit Transfer. Although evidence suggests testing of the flaw since 2021, mass exploitation began in late May 2023.
Key Takeaways on MOVEit Zero-Day Attacks and Ransomware Group Cl0p Exposes Victims of MOVEit Zero-Day Attacks
- Cl0p ransomware group targeted organizations using MOVEit managed file transfer (MFT) software with a zero-day vulnerability (CVE-2023-34362).
- The group has named more than two dozen organizations as victims and threatened to leak stolen data if they do not contact the hackers by a specified deadline.
- Progress Software, the developer of MOVEit, has released patches for new vulnerabilities and advised customers to take down HTTP and HTTPS traffic to safeguard their environments.
Identification of Cl0p Group and Victim Naming
The attacks were swiftly attributed to the Cl0p group, known for previously exploiting a zero-day in the GoAnywhere MFT product to steal data from numerous organizations.
The group has claimed responsibility for the MOVEit zero-day campaign and set a deadline of June 14 for victims to contact them to prevent the leak of stolen data. They assert having targeted hundreds of entities.
Publicly Named Victims and Targeted Sectors
Following the June 14 deadline, more than two dozen organizations have been named on the Cl0p leak website.
Although it is not explicitly stated that they are MOVEit victims, these organizations likely represent victims who chose not to contact cyber criminals.
The list includes Shell, a major energy company, as well as organizations from the financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. The majority of victims are banks and financial institutions in the United States, followed by healthcare organizations.
The hackers have claimed they will not target healthcare facilities for children.
Status of Data Leaks and Confirmed Victims
Currently, there is no evidence to suggest that the ransomware group has leaked any data from the targeted organizations. However, the list of confirmed victims continues to grow.
Notable victims who have come forward include Zellis, a UK-based payroll and HR company (whose customers British Airways, Aer Lingus, the BBC, and Boots were also affected), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).
Recent statements have been issued by Johns Hopkins University and Johns Hopkins Health System, UK media watchdog Ofcom, and a Missouri state agency.
Impact on US Federal Government Agencies and Claimed Motives
According to Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), several US federal government agencies have been impacted.
Among them is the Department of Energy, which has taken measures to mitigate the hack’s impact.
The cybercriminals maintain that they are solely seeking ransom payments from businesses and have purportedly deleted all government data obtained during the attacks.
Additional Vulnerabilities and Patch Releases by Progress Software
Progress Software, the developer of MOVEit, has alerted customers to another newly discovered vulnerability that could potentially result in escalated privileges and unauthorized access.
The vendor has issued patches, although a CVE identifier has yet to be assigned. In response, Progress requested MOVEit Transfer customers to temporarily disable HTTP and HTTPS traffic to protect their environments while awaiting the patch.
This development follows the recent release of patches by Progress to address new SQL injection vulnerabilities (CVE-2023-35036) identified during the analysis of the zero-day flaw
