Cl0p’s MOVEit Attack Victim Count Continues to Climb

The cyber threat landscape continues to evolve at an alarming pace, posing ever-increasing challenges to businesses, governments, and individuals. A particularly troubling development in recent months has been the dramatic rise in MOVEit attacks attributed to the Cl0p ransomware group.

The Growing List of Victims

As of Monday, at least 545 organizations have been directly or indirectly impacted by the Cl0p group's MOVEit attacks. This information is based on reports from the German cybersecurity firm KonBriefing, which has been closely monitoring the situation. It includes both victims who have issued data breach notifications and those identified by Cl0p on its own data leak site. Cl0p’s MOVEit victims only appear to have suffered data theft and extortion, and not data encryption and ransomware.

The list of victims affected is extensive and encompasses various industries. This includes notable corporations such as American Airlines, EY, PwC, Shell, PBI Research Services, and TIAA. Government agencies in the United States, United Kingdom, and Canada have felt the impact as well. The Cl0p group continues leaking data from affected organizations, further escalating the situation.

What is MOVEit?

MOVEit, a managed file transfer (MFT) software created by Ipswitch, Inc. (which is now a part of Progress Software), provides encryption for files and utilizes transfer protocols like FTP(S) or SFTP for data transfer. Additionally, MOVEit offers automation features, analytical tools, and failover solutions. Thousands of IT departments in industries such as healthcare, technology, government, and financial services have employed this software.

A Zero-Day Vulnerability Exploited

The saga began in late May when the Cl0p group exploited a zero-day vulnerability in MOVEit file transfer software. This vulnerability enabled the group to steal data from hundreds of organizations before a patch was issued on May 31.

The impact of these attacks is immense. The Cl0p group's thefts included the personal details of at least 38 million individuals. The education sector was the most affected, accounting for 24% of known victims, followed by finance and professional services, which together made up 22%. A staggering 74% of known victims were U.S.-based organizations.

Who is the Cl0p Ransomware Gang?

Microsoft has revealed that the Lace Tempest group, also known as Storm-0950, is responsible for the attacks on MOVEit instances and the operation of the Cl0p extortion website. This group, recognized as an operator of ransomware, manages the Cl0p site and shares connections with other organizations such as FIN11, TA505, and Evil Corp. With members likely hailing from Russian-speaking regions and probably operating out of Russia, the group's primary focus seems to be financial gain, with no evidence to suggest direct orders from the Russian government. Although speculation might link some of its members to Russian authorities, the attacks on government entities appear to be collateral in a wider effort to extract funds from corporations, rather than a specific attempt to extort government bodies.

Copying ALPHV's Extortion Tactic

In a concerning development, the Cl0p group began replicating an extortion tactic previously used by the ALPHV ransomware group. This involved creating clearweb websites, which are easier to use for leaking stolen data and applying pressure on victims to pay ransoms.

Unlike sites on the Tor network, which requires the use of specialized browsers and typically offer slower download speeds, clearweb sites are hosted directly on the internet. This makes data more accessible and might lead to it being indexed by search engines, possibly spreading the leaked information even further.

This approach is not without hazards, though. Clearweb sites are more susceptible to law enforcement interventions and DDoS attacks from cybersecurity companies, and hosting providers or registrars may take them down more easily. This raises questions about the long-term effectiveness of this tactic.

Breach Announcement from Allegheny County

Allegheny County, located in Western Pennsylvania, reported a significant breach involving the Cl0p group, which stole information related to 967,690 individuals. This data included names, addresses, Social Security numbers, and possibly medical details.

The breach was identified in early June when unusual activities were detected on the county's servers. This attack not only highlights the Cl0p group's relentless pursuit of targets but also demonstrates the increasing vulnerability of government bodies. The breach has forced Allegheny County to reassess and strengthen its cybersecurity measures.

Upon discovery, Allegheny County officials promptly engaged with federal agencies and cybersecurity experts to mitigate the attack. The investigation has led to increased security protocols, tightened access controls, and the implementation of two-factor authentication. The county is offering credit monitoring services to the affected individuals and has established a hotline for inquiries.

This event has started wider discussions about how to protect public information in areas like Allegheny County and other governmental regions. It emphasizes the need for proactive measures such as regular security assessments and the need for collaboration between different levels of government.

US Government Vendor Maximus Hit by MOVEit Attack, Impacting Millions

Maximus Inc., a prominent vendor for the U.S. government that provides processing solutions for health and human services, reported a data breach involving between 8 and 11 million individuals resulting from the MOVEit incident. Up to 612,000 Medicare beneficiaries were noted by the Centers for Medicare and Medicaid Services to potentially have had their data exposed following Maximus’ breach. The personal information compromised may include names, dates of birth, Social Security numbers, and financial data.

The sheer scale of this breach underscores the extensive reach of the Cl0p group's attacks, with Maximus serving as a key gateway to millions of citizens' data. The affected information, if misused, could lead to identity theft, financial fraud, and other malicious activities.

Maximus promptly launched an investigation in collaboration with third-party cybersecurity experts to assess the breach's impact. The company has since fortified its security infrastructure and implemented additional security measures, such as encryption and continuous monitoring.

Maximus is engaging with affected clients and individuals to inform them of the breach and provide assistance. This includes free credit monitoring and identity protection services for those impacted.

Conclusion

The recent surge in MOVEit attack victims compromised by the Cl0p ransomware group represents a considerable threat in today's ever-changing cybersecurity landscape. Affecting a diverse array of organizations across various sectors, the breaches highlight the increasing danger associated with software supply chain attacks that can be exceedingly difficult to mitigate.

To enhance security against potential supply chain attacks, businesses should rigorously assess vendors by checking their past breaches and inquiring about their security practices. It is imperative that organizations know the extent of their data they are sharing with vendors, how long vendors are keeping that data, and where the data is being stored. Sharing the least amount of data necessary with vendors will help to minimize risks. Emphasizing a zero-trust model can further fortify the network by not trusting any user or application by default. Utilizing security tools like firewalls and antivirus products may not completely block an attack, but they can provide critical alerts during a breach. Having a well-defined incident response plan, including delineating roles and a communication strategy, prepares businesses for immediate action following a compromise. Collaborative preparation with the IT team, whether in-house or a managed service provider (MSP), including regular practice of the incident response plan and adherence to guidelines from institutions like the National Institute of Standards and Technology, is crucial for defending against such attacks.