Discover how the Clop ransomware group targeted U.S. banks & universities by exploiting critical vulnerability in MOVEit, a file transfer tool

Continue reading
In recent news, the notorious ransomware group known as Clop targeted a critical vulnerability in a widely used corporate file transfer tool MOVEit Transfer, leading to a series of mass-hacks affecting numerous organizations, including prominent U.S. banks and universities. This Threatfeed delves into the details of the attacks, the impacted victims, and the ongoing repercussions.
Clop, a ransomware group believed to have links to Russia, has taken advantage of a security flaw in MOVEit Transfer, a tool utilized by corporations and enterprises for exchanging large files over the internet. The group has been exploiting this vulnerability since late May, and although the software's developer, Progress Software, patched the flaw, several customers had already fallen victim to the hackers.
While the precise number of affected entities remains uncertain, Clop recently released a list of the initial batch of organizations that fell prey to the MOVEit flaw. The group published this list on its dark web leak site, disclosing a range of U.S.-based financial services organizations, such as 1st Source and First National Bankers Bank, as well as notable institutions like Putnam Investments, Landal Greenparks based in the Netherlands, and the U.K.-based energy giant Shell.
Significantly, the leak site initially listed GreenShield Canada, a non-profit benefits carrier specializing in health and dental benefits, but subsequently removed it. Other victims listed include financial software provider Datasite, educational non-profit National Student Clearinghouse, student health insurance provider United Healthcare Student Resources, American manufacturer Leggett & Platt, Swiss insurance company ÖKK, and the University System of Georgia (USG).
In response to the attack, a USG spokesperson stated that the university is currently assessing the scope and severity of the potential data exposure. If necessary, they assured that they would issue notifications to affected individuals in compliance with federal and state law. Florian Pitzinger, a spokesperson for German mechanical engineering company Heidelberg, one of the victims listed by Clop, acknowledged the incident but emphasized that the incident occurred a few weeks ago, their team promptly addressed it, and based on their analysis, no data breach occurred. However, other listed victims have yet to respond to inquiries, leaving the full impact uncertain.
Unlike typical ransomware groups, Clop did not directly contact the hacked organizations to demand a ransom for decrypting or deleting stolen files. Instead, they resorted to a blackmail message on their dark web leak site, instructing victims to contact the group before the June 14 deadline. At the time of writing, Clop had not published any stolen data, but they warned victims that they had obtained a significant amount of their data.
Prior to this series of attacks, several organizations had already reported compromises resulting from similar tactics. The BBC, Aer Lingus, and British Airways, all of which relied on Zellis, an HR and payroll software supplier, confirmed that their MOVEit system had been compromised. Additionally, the Government of Nova Scotia, which employs MOVEit for interdepartmental file sharing, acknowledged the impact of the attacks and expressed concern about potential compromises of citizens' personal information. However, Clop assured on their leak site that they had erased all data belonging to government, city, or police services.
As investigations progress, additional victims are steadily coming forward. Johns Hopkins University recently confirmed a cybersecurity incident related to the MOVEit mass-hack. The university stated that the security breach may have compromised sensitive personal and financial information, including names, contact details, and health billing records. Ofcom, the U.K.'s communications regulator, also acknowledged the compromise of confidential information during the MOVEit mass-hack. According to their statement, the hackers accessed data related to the companies they oversee, as well as personal information belonging to 412 Ofcom employees. Transport for London (TfL), the governmental body responsible for operating London's transport services, and Ernst and Young, a global consultancy firm, are also affected. However, they have not yet provided official statements.
Researchers believe that Clop may have exploited the MOVEit vulnerability as early as 2021, but they have not determined the full extent of the attacks and the number of victims yet. Risk consulting firm Kroll released a report indicating that although the vulnerability only came to light in late May, they had identified signs of Clop's experimentation with exploiting this particular flaw for almost two years. The report emphasizes the meticulous planning and sophisticated knowledge involved in orchestrating large-scale cyberattacks like the MOVEit Transfer incident. It is worth noting that Clop has previously conducted mass-attacks by exploiting vulnerabilities in other file transfer tools, namely Fortra's GoAnywhere and Accellion's file transfer application.
Clop ransomware group's exploitation of a critical security vulnerability in the widely used MOVEit Transfer tool has led to a series of mass-hacks affecting various organizations, including prominent U.S. banks and universities. As the list of victims continues to grow, affected entities must assess the impact, secure their systems, and notify individuals if necessary. The ongoing investigations and responses from cybersecurity firms and law enforcement agencies will shed more light on the full extent of the attacks and help mitigate future risks associated with similar vulnerabilities.
Disclaimer: This Threatfeed is for informational purposes only. The information provided is based on the available sources up to the publication date and may be subject to change as new details emerge. Readers are advised to follow official statements and guidance from relevant organizations and experts in the field.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation