The recent MOVEit data theft attacks have taken a concerning turn as the Clop ransomware gang has started a new extortion strategy against affected companies. They have begun listing the names of targeted companies on a data leak site, which is a common tactic used to pressure organizations into meeting their demands.
The initial attack on May 27th exploited a zero-day vulnerability in the MOVEit Transfer platform, allowing the hackers to gain unauthorized access and steal files from the server. Now, the stolen data is being used as leverage to extort the companies affected by publicly disclosing their names. This tactic aims to increase the chances of the ransomware gang's demands being met.
MOVEit, developed by Ipswitch, Inc. (now part of Progress Software), is a managed file transfer software. It ensures file encryption and utilizes secure File Transfer Protocols for automated data transfers. With analytics and failover capabilities, MOVEit has been adopted by numerous organizations, including healthcare institutions like Rochester Hospital and Medibank. It is also widely used in financial services, high technology, and government IT departments.
What is zero-day vulnerability?
A zero-day vulnerability refers to a flaw in software or hardware that has been identified without any available patch or fix. In other words, it is a security weakness that is newly discovered and does not have a known solution at the time of its discovery.
A zero-day attack consists of three main components:
Vulnerability: This refers to a flaw in software or hardware that has been discovered by a hacker but is unknown to the developer.
Exploit: An exploit is a tool or malware created by the hacker to take advantage of the vulnerability and carry out the attack.
Attack: The attack occurs when the hacker utilizes the exploit to exploit the vulnerability, causing damage such as data theft or encryption.
Clop listed thirteen companies on the dark side
The Clop threat actors recently listed thirteen companies on their data leak site, but it is unclear whether these are related to the MOVEit Transfer attacks or ransomware encryption attacks. One company, Greenfield CA, has been removed, possibly due to a mistake or ongoing negotiations.
Five of the listed companies, including Shell, UnitedHealthcare Student Resources, the University of Georgia, University System of Georgia, Heidelberger Druck, and Landal Greenparks, have confirmed varying degrees of impact from the MOVEit attacks.
Additionally, several organizations have disclosed data breaches involving the MOVEit Transfer platform. These include Zellis (BBC, Boots, Aer Lingus, and Ireland's HSE through Zellis), the University of Rochester, the government of Nova Scotia, the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks, and the American Board of Internal Medicine.
The situation underscores the importance of robust cybersecurity measures and the need for prompt action in addressing vulnerabilities. Organizations utilizing the MOVEit Transfer platform should take immediate steps to mitigate the risk posed by the zero-day vulnerability. Additionally, affected companies should engage with cybersecurity professionals to assess the extent of the breach and implement measures to minimize further damage.
