Cl0p Lists More MOVEit Hack Victims, Includes US, UK Govt.


The Cl0p ransomware group has listed more victims on its leak site, adding a growing list of victim organizations in the MOVEit hack campaign.

On June 14, 2023, the Cl0p group revealed the first batch of 12 victims, followed by more victims. The Cyber Express recently reported about the geographical location of these victims, wherein the majority of the named victims are from the United States, while others hail from Switzerland, Canada, Belgium, and Germany. 

List of MOVEit hack victims, more to be expected

  1. US Department of Energy 
  2. Minnesota Department of Education
  3. UK’s telco regulator Ofcom
  4. Canadian province Nova Scotia’s health authority
  5. British Airways
  6. BBC
  7. Boots pharmacy chain 
  8. Johns Hopkins University
  9. Johns Hopkins Health System
  10. Tesco Bank
  11. Delaware Life Insurance
  12. Aer Lingus
  13. 1st Source
  14. First National Bankers Bank
  15. Putnam Investments
  16. Landal GreenParks
  17. U.K.-based energy giant Shell
  18. Datasite
  19. National Student Clearinghouse
  20. United Healthcare Student Resources
  21. Leggett & Platt
  22. ÖKK
  23. University System of Georgia (USG).
  24. Heidelberg
  25. The Government of Nova Scotia
  26. Ernst and Young
  27. Illinois state government 
  28. Minnesota state government 
  29. Missouri state government
  30. Zellis
  31. Hennepin Technical College
  32. Perham School District 
  33. The Illinois Department of Innovation and Technology (DoIT)

The group first issued a warning on June 6, 2023, informing the victims that they had one week to initiate negotiations or face the consequences of public exposure and data leakage on Cl0p’s data-leak site, known as CL0P LEAKS.

MOVEit hack encompasses several sectors and nations 

The targeted sectors in the MOVEit hack vary, with manufacturing being the most prominent industry among the victims, followed by technology and healthcare providers. However, as the situation unfolds and more victims are named, the list of target sectors is expected to evolve.

Since the initial announcement, the Cl0p ransomware group has expanded its list of victims. At the time of writing, roughly 30 organizations have been named, with 14 new additions. 

Among the newly listed victims are notable entities such as the US Department of Energy, Minnesota Department of Education, and more. 

These organizations span various industries, with a predominant presence in financial services, followed by healthcare, pharmaceuticals, and technology. The list of victim organizations has been published on Cl0p’s dark-web data-leak site, >CLOP^-LEAKS.

The MOVEit Transfer hack victims now face the daunting task of recovering from this cyber attack, which can have severe consequences, including financial losses, reputational damage, and potential legal implications. 

Meanwhile, patching in progress

Progress Software, the maker of file-sharing software MOVEit Transfer, has issued a third warning about vulnerabilities in its product.

Following the initial patch, the company discovered similar programming flaws and issued a second patch. This was done proactively to prevent potential exploitation by the hackers. The software’s code was thoroughly examined, and additional bugs were fixed to enhance security.

Despite these efforts, a third-party recently publicly disclosed a new SQL injection vulnerability, leading Progress Software to temporarily disable HTTP and HTTPS traffic for MOVEit Cloud. Customers are advised to immediately disable HTTP and HTTPS traffic to safeguard their environments until the patch is finalized.

To address the situation, Progress Software has provided instructions to customers. They recommend modifying firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443. This step is crucial for preventing further exploitation of the vulnerabilities.

During this period, certain functionalities will be affected, such as the inability to log into the MOVEit Transfer web UI, non-functioning MOVEit Automation tasks, and disabled REST, Java, and .NET APIs. However, SFTP and FTP/s protocols will continue to work as usual.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.





Source link