The Cl0p ransomware group has continued to target victims in its MOVEit hack campaign and has recently listed more organizations on its leak site. The group initially revealed a batch of 12 victims on June 14, 2023, and has since added more victims to the list. The majority of the named victims are from the United States, with others from Switzerland, Canada, Belgium, and Germany.
The list of MOVEit hack victims includes various organizations from different sectors and countries. Among the victims are the US Department of Energy, Minnesota Department of Education, UK’s telco regulator Ofcom, Canadian province Nova Scotia’s health authority, British Airways, BBC, Boots pharmacy chain, Johns Hopkins University, Johns Hopkins Health System, Tesco Bank, Delaware Life Insurance, Aer Lingus, 1st Source First National Bankers Bank, Putnam Investments, Landal GreenParks, U.K.-based energy giant Shell, Datasite, National Student Clearinghouse, United Healthcare Student Resources, Leggett & Platt, ÖKK, University System of Georgia (USG), Heidelberg, The Government of Nova Scotia, Ernst and Young, Illinois state government, Minnesota state government, Missouri state government, Zellis, Hennepin Technical College, and Perham School District, among others.
The Cl0p ransomware group first issued a warning on June 6, 2023, giving the victims one week to initiate negotiations or face public exposure and data leakage on Cl0p’s data-leak site, known as CL0P LEAKS.
The targeted sectors in the MOVEit hack vary, with manufacturing being the most prominent industry among the victims, followed by technology and healthcare providers. However, as more victims are named, the list of target sectors is expected to evolve. The Cl0p ransomware group has been continuously expanding its list of victims, with 14 new additions at the time of writing. These victims come from various industries, with a predominant presence in financial services, healthcare, pharmaceuticals, and technology.
The list of victim organizations has been published on Cl0p’s dark-web data-leak site, called CLOP^-LEAKS. The organizations affected by the MOVEit Transfer hack now face the challenge of recovering from the cyber attack, which can have severe consequences, including financial losses, reputational damage, and potential legal implications.
Meanwhile, Progress Software, the maker of the file-sharing software MOVEit Transfer, has been working to address vulnerabilities in its product. The company issued a third warning about these vulnerabilities, following an initial patch and the discovery of similar programming flaws. Progress Software proactively released a second patch to prevent potential exploitation by the hackers. The software’s code underwent thorough examination, and additional bugs were fixed to enhance security.
However, the company recently received information about a new SQL injection vulnerability from a third party. As a precautionary measure, Progress Software temporarily disabled HTTP and HTTPS traffic for MOVEit Cloud. Customers have been advised to disable HTTP and HTTPS traffic to protect their environments until the patch is finalized. Progress Software has provided instructions to customers, recommending the modification of firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443. This step is crucial in preventing further exploitation of the vulnerabilities.
During this period, certain functionalities of MOVEit Transfer will be affected, such as the inability to log into the web user interface, non-functioning MOVEit Automation tasks, and disabled REST, Java, and .NET APIs. However, SFTP and FTP/s protocols will continue to work as usual.
It is important to note that this report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for relying on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.