The Cl0p ransomware group has made public the names of more than two dozen organizations that appear to have been targeted in a campaign leveraging a zero-day vulnerability in the MOVEit managed file transfer (MFT) software.
The cybercrime gang exploited a MOVEit Transfer vulnerability tracked as CVE-2023-34362 to steal data from organizations that had been using the product. Some evidence suggests that the hackers have been testing the flaw since 2021, but mass exploitation seems to have started in late May 2023.
The attacks were quickly linked to the Cl0p group, which had previously exploited a zero-day in the GoAnywhere MFT product to steal data from many organizations. The cybercriminals have confirmed being behind the MOVEit zero-day campaign and they gave victims until June 14 to get in touch in order to prevent data stolen from their systems from getting leaked. They claim to have hit hundreds of entities.
More than two dozen organizations have been named on the Cl0p leak website after the June 14 deadline, and they are presumably the MOVEit attack victims that decided not to contact the cybercriminals — the hackers do not clearly state that they are MOVEit victims.
The list includes energy giant Shell, as well as various organizations in the financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. A majority of the victims are banks and other financial institutions located in the United States, followed by healthcare organizations. When the breach came to light, the hackers said they would not target healthcare facilities for children.
For the time being, the ransomware group does not appear to have leaked any data from these organizations.
The first victims to come forward included UK-based payroll and HR company Zellis (its customers British Airways, Aer Lingus, the BBC, and Boots were also hit), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).
The list of organizations that have confirmed being hit continues to grow. Johns Hopkins University and Johns Hopkins Health System, UK media watchdog Ofcom, and a Missouri state agency have issued statements related to the incident in recent days.
CNN reported on Thursday that several US federal government agencies were also hit, according to Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). The list includes the Department of Energy, which has taken steps to mitigate the impact of the hack.
The cybercriminals claim they are only trying to get a ransom from businesses and that all the government data they have obtained has been deleted.
In the meantime, MOVEit developer Progress Software has informed customers about another new vulnerability, one that “could lead to escalated privileges and potential unauthorized access to the environment”. The vendor has released patches, but a CVE identifier has yet to be assigned.
“We took HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and asked all MOVEit Transfer customers to take down their HTTP and HTTPs traffic to safeguard their environments while a patch was created and tested,” Progress explained in an advisory.
This comes less than a week after Progress announced the release of patches for CVE-2023-35036, new SQL injection vulnerabilities discovered by researchers during the analysis of the zero-day flaw.
The newer vulnerabilities do not seem to have been exploited in the wild.
Related: Barracuda Zero-Day Attacks Attributed to Chinese Cyberespionage Group
Related: Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day
