The notorious ransomware gang that exploited a zero-day vulnerability in the MOVEit Managed File Transfer (MFT) solution from Progress Software to hack into government agencies, universities and corporations is now listing new victims on its data leak website. Known as Clop, the gang began naming the companies and organizations it blackmailed on June 14 after threatening to start publishing stolen data online unless they reached out to begin a negotiation. The initial list included Shell, investment management firms 1st Source and First National Bankers Bank, U.S.-based financial services company TD Ameritrade, German printing firm Heidelberger Druck and GreenShield Canada, the Netherlands-based energy giant Shell and more.
The hackers who launched the MOVEit attack also took down websites for Ernst & Young and PWC, as well as a number of U.S. banks and universities, including the University System of Georgia, the University of Minnesota and Ohio State University. The list of victims grew this week when Johns Hopkins University confirmed it was a victim of the MOVEit breach, as did the British Airways and Aer Lingus airlines.
While the full extent of the attack remains unknown, experts believe Clop’s members have compromised the personal information of more than 15 million individuals so far. Threat intelligence provider Censys analyzed 1,400 MOVEit servers accessible on the public Internet and found that 31% of them were from entities in the financial services sector, while another 16% were in healthcare. The remaining 9% were in information technology, with 69% of the victims located in the United States.
The MOVEit attack is the latest in a string of breaches involving zero-day vulnerabilities, with dozens of companies and government agencies being hacked this year alone. Progress Software, which owns MOVEit and is working with the FBI to identify and arrest the attackers, has issued patches for the vulnerability.
The exploitation of MOVEit and other zero-day vulnerabilities is a reminder of how critical it is for organizations to take proactive steps to protect against such attacks, such as taking an inventory of all devices on their networks, restricting access by role and only granting admin privileges to those that need it, creating a software allow list to limit which applications can be executed, activating security configurations on network infrastructure hardware like firewalls and routers and conducting regular vulnerability assessments. It’s also worth noting that many of the most serious cyber attacks affecting businesses have involved vulnerabilities in third-party software. The biblical adage that “there is nothing new under the sun” has never been more true than when it comes to cybersecurity. The gang that took advantage of the MOVEit zero-day may be laying low for now, but as the history of other such gangs shows, once they’re out of steam they will come back with different tactics in search of a fresh harvest. And there is always more data out there to steal.