The recent cyberattacks by the Clop ransomware gang on MoveIt Transfer customers have impacted over 2,095 organizations and more than 62 million individuals, according to security vendor Emsisoft. The attacks originated from a critical SQL injection flaw called CVE-2023-34362, which was disclosed by Progress Software, the publisher of MoveIt Transfer, on May 31. Although a patch was quickly released, the attacks had already begun, leading to breach disclosures from numerous organizations in the following weeks.
Microsoft was the first to attribute the attacks to a threat actor named Lace Tempest, which was linked to the Clop ransomware gang. Clop has been widely recognized as the main threat actor responsible for the campaign, leaking data from a large number of alleged victims on its data leak site. The attacks primarily involved data extortion, where Clop stole data from vulnerable MoveIt instances and used it to extort payments from the victims.
The victims affected by the attacks were diverse, ranging from private companies to U.S. government agencies. According to CISA Director Jen Easterly, the attacks seemed to be opportunistic, targeting information stored on the file transfer application at the time of intrusion. However, the number of affected organizations has significantly increased since then. Brett Callow, a threat analyst at Emsisoft, initially tracked around 270 affected organizations in July. However, recent data published on Emsisoft’s blog indicates that the number has surpassed 2,000. It should be noted that the data comes from “state breach notifications, SEC filings, other public disclosures, as well as Cl0p’s website,” and it is considered an estimate due to the unreliable nature of the source.
The campaign has potentially compromised the personal data of over 62 million individuals. Some of the organizations with the highest contribution to this count, as reported by Emsisoft, include Maximus, a government services company (11 million), the Louisiana Office of Motor Vehicles (6 million), and Alogent, a payment processing company (4.5 million).
According to Callow, out of the 2,095 known victim organizations, 1,690 were compromised through third parties rather than directly as part of the MoveIt Transfer campaign. For instance, the Colorado Department of Health Care Policy and Financing disclosed that private health information for millions of Colorado Medicaid beneficiaries was accessed when Clop threat actors breached a vulnerable MoveIt Transfer instance used by IBM, a third-party contractor engaged by the department. This highlights the supply chain issue associated with the campaign, as mentioned by Censys senior researcher Emily Austin. She believes that there will likely be a long tail of breach disclosures as a result.
Austin explains that the impact of the campaign is not linear since a single MoveIt instance could hold data for multiple organizations. This scenario is exemplified by the recent breach of the National Student Clearinghouse, where data from nearly 900 colleges and universities was leaked through the MoveIt campaign. Austin expects the fallout from this campaign, including investigations and notifications to affected parties, to continue for months.
TechTarget Editorial has reached out to Progress Software for further comments on the matter.
Overall, the Clop ransomware gang’s attacks on MoveIt Transfer customers have caused significant damage, affecting thousands of organizations and compromising the personal data of millions of individuals. The scale of the attacks highlights the importance of promptly addressing vulnerabilities and taking proactive measures to protect sensitive information.