The ransomware group utilized the MOVEit transfer vulnerability, CVE-2023-34362, to steal data from firms that had been using the product. Despite some evidence indicating that the hackers tested the vulnerability as early as 2021, broad exploitation appears to have begun in late May 2023.
In no time, the attacked were proved to be connected to the CIOp group, that had earlier utilized a zero-day in the GoAnywhere MFT products, stealing data of several firms. The MOVEit zero-day campaign's perpetrators have acknowledged their involvement, and they have given victims until June 14 to contact them in order to stop the release of data taken from their systems. They say they have struck hundreds of targets.
The victims of the attacks include energy giant Shell, as well as firms from various sectors like financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. A large number of victims include US-based banks and other financial institutions, followed by healthcare organizations. The hackers declared they would not target pediatric healthcare facilities after the breach was discovered.
The first known victims of the attacks included UK-based payroll and HR company Zellis (and its clients British Airways, Aer Lingus, the BBC, and the Boots), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).
Following the ransomware attacks, the group has not yet leaked any data stolen from these organizations.
The number of businesses that have reported being impacted keeps expanding. In recent days, statements about the incident have been released by Johns Hopkins University and Johns Hopkins Health System, UK media authority Ofcom, and a Missouri state agency.
Moreover, in a report published on Thursday, CNN noted that a number of US federal government organizations were also impacted with the attacks, as per Eric Goldstein who is the executive director for CISA. These agencies include Department of Energy, which is now working on the issue to control the impact of the attack.
However, the ransomware gang claims that their prime motive behind these attacks is to acquire ransoms from businesses and confirms that all the state-related data they may have acquired in the attacks has been deleted.
