When the first rash of MOVEit cyber attacks made the news with the breach of Zellis in early June, there was strong suspicion that many more would be on the way. This seems to be coming to pass as ransomware gang Cl0p, responsible for the earlier attacks, has taken to its dark web site to threaten a laundry list of new victims.
The victims range across all types of both private sector and public operations, everything from state and federal government agencies to oil giant Shell. Cl0p has indicated that this is only the first “batch” and that it has even more victims to menace in the coming weeks.
Cyber attacks have thus far not included ransomware
In action since at least 2019, when it branched off from the CryptoMix family, Cl0p has never been shy about deploying ransomware. It seems to be taking a new tack with this MOVEit exploitation campaign, however, sticking to quietly exfiltrating data and then extorting victims with threats of dumping it.
It is possible that the group made the choice to eschew ransomware in order to prolong the lifespan of the MOVEit vulnerabilities it discovered. Security researchers now think that the group may have hit upon the first of these as early as 2021, moving cautiously in its experiments with cyber attacks so as to not reveal the issues to anyone else. It seems to have saved up for a spree that unfolded across May of this year, with many of its victims hit before the vulnerability was discovered and disclosed to the public on May 31. Cl0p also did not contact victims individually as it hit them, choosing instead to address them all at once and in public via its dark web site.
There are about 2,500 systems that were potentially vulnerable to the MOVEit flaws, according to large-scale port scans, though it remains unclear how many were actually compromised and how many have gone unpatched. As the Zellis incident demonstrated, compromise of one of these companies could very well lead to the theft of personal information of numerous downstream clients.
Massive personal data loss in Louisiana, other government agencies hit by MOVEit cyber attacks
MOVEit is a uniquely valuable cyber attack target due to its widespread use in all sorts of large organizations. It’s also been on the market for over 20 years without major incidents and is used for secure encrypted file transfer. An SQL injection vulnerability after all this time is a surprising development.
Many organizations are still assessing the damage from their cyber attacks and have not revealed details to the public as of yet, but there are already some very bad incidents. The worst that is known thus far is a breach of the Louisiana Office of Motor Vehicles, which appears to have leaked the entire contents of the state’s driver database. At least one university in Georgia was also hit, as well as several vendors that provide insurance and other services to college students. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also confirmed that several federal agencies were compromised, along with several banks and investment firms.