3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management

Extortion Group Clop's MOVEit Attacks Hit Over 130 Victims

Known Victims Now Include New York City Schools, UCLA and Multiple PBI Customers
Extortion Group Clop's MOVEit Attacks Hit Over 130 Victims
UCLA's Royce Quad (Photo: UCLA)

Editor's note (June 28, 2023 08:30 UTC): This story has been updated to add more victim and attack details.

See Also: The Cost of Underpreparedness to Your Business

The tally of organizations affected by the Clop ransomware group's supply chain attack against users of Progress Software's popular MOVEit file transfer software continues to grow.

"As of today, 108 organizations including seven U.S. universities have been listed by Clop and/or disclosed being impacted by MOVEit," Brett Callow, a threat analyst at Emsisoft, tweeted late Monday.

As of Wednesday morning, cybersecurity research firm KonBriefing reported that at least 131 organizations appear to have been affected.

Clop's campaign exploited a zero-day vulnerability in the MOVEit file transfer software to steal data. A majority of the attacks appear to have been launched on May 27 and May 28, apparently timed to coincide with the long Memorial Day holiday weekend in the United States.

Progress first released patches for supported versions of MOVEit on May 31 to fix the exploited flaw, designated CVE-2023-34362. As of June 15, Progress had patched two more zero-day vulnerabilities, although these don't appear to have been exploited by criminals.

Prior to the initial zero-day vulnerability being patched, attackers stole data from victim organizations, comprising personal information for millions of individuals. Clop quickly claimed credit for the attacks. While the group has used crypto-locking malware against past targets, its MOVEit campaign only appears to involve data exfiltration. This also was the case with the group's zero-day campaign earlier this year targeting users of the GoAnywhere file transfer software.

More Victims Come to Light

MOVEit counts thousands of users worldwide, and more victims may well still come to light. "We leak names slowly to give big companies time to contact us," Clop says on its data leak site. Many ransomware groups list victims on these sites who haven't paid a ransom, to try and pressure them into paying.

Clop on Monday listed UCLA as one of its MOVEit victims. "UCLA uses MOVEit Transfer to transfer files across the campus and to other entities," a university spokesperson told Information Security Media Group. UCLA discovered the attack on June 1, launched an investigation and has now notified all impacted individuals. It declined to specify what information was exposed or how many individuals have been affected.

On Saturday, New York City reported that cybercriminals had stolen personal information pertaining to approximately 45,000 students, as well as staff members and service providers.

While the city's probe is ongoing, its Department of Education said in a data breach notification that "roughly 19,000 documents were accessed without authorization," which exposed 9,000 Social Security numbers and an unspecified number of employee ID numbers.

"Individuals will be offered access to an identity monitoring service," the city said. Both the FBI and New York Police Department are investigating the attack.

On Friday, the Superannuation Arrangements of the University of London, known as SAUL, began informing at least some of its more than 68,000 members that their personal details had been exposed. More than 50 universities use SAUL.

On June 19, Software development giant Informatica reported that "some files uploaded to our technical support FTP server" between May 21 and June 1 had been obtained by attackers who exploited the MOVEit flaw.

Other known victims of Clop's campaign include oil and gas giant Shell, U.S. financial services firms 1st Source and First National Bankers Bank, The Boston Globe, the government of Canadian province Nova Scotia, U.K. media watchdog Ofcom, British payroll provider Zelle - and by extension eight of its customers, including the BBC, the Boots pharmacy chain and British Airways - and multiple U.S. government agencies, including the Department of Energy.

A group of Louisiana residents whose personal details were exposed when the state's Office of Motor Vehicles fell victim have filed a lawsuit against Progress Software in federal court, seeking class action status.

Service Provider Customers Affected

PBI Research Services, which helps financial services firms identify policyholders who have died and locate beneficiaries, also fell victim. Attackers stole data stored on behalf of its customers.

The data theft has led to multiple breach notifications from PBI customers, including Genworth Financial, which reported that attackers had stolen from PBI personal information for up to 2.7 million of its customers and agents. PBI uses the California Public Employees' Retirement System, which manages the largest public pension fund in the U.S. It said nearly 770,000 members' personal information had been stolen from PBI. Wilton Reassurance Co. reported that personal information for 1.5 million customers, including their Social Security numbers, had been stolen.

Some of the organizations that have reported as victims of the MOVEit attacks may never see their stolen data listed by Clop. The group has been bending over backward to claim that any government data it steals is quickly deleted, and on its data leak site it claims that it has a purely financial - not political - agenda.

Clop claims that as part of the MOVEit campaign, it has deleted government data it stole from 30 organizations, including government agencies. The Russian-speaking ransomware group could of course have already sold anything of interest to foreign intelligence services.

June 28, 2023 08:30 UTC: This story has been updated to clarify that Progress Software first released updated versions of MOVEit to patch CVE-2023-34362 on May 31, to add the latest count of known victims and to provide details pertaining to known victims.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.