Cl0p
MOVEit
Healthcare
BORN Ontario Child Registry Healthcare Data Breach Affects 3.4 Million People
...
BORN Ontario, the provincial perinatal, newborn, and child registry, recently fell victim to a massive healthcare data breach. The data breach was attributed to a global vulnerability within the MOVEit data transfer software by Progress Software through the cybersecurity community. In this [Threatfeed](https://www.secureblink.com/cyber-security-news), we delve into the technical details of the incident and its implications for the affected parties.
## MOVEit Vulnerability
Late evening on May 31, 2023, BORN Ontario [learned](https://www.bornincident.ca/) of a critical vulnerability within the [MOVEit](https://www.secureblink.com/cyber-security-news/clop-ransomware-exploits-mov-eit-targeting-u-s-banks-and-universities) data transfer software, a widely used tool for secure file transfers. This software is utilized not only by BORN but also by governments, private sector organizations, and multinationals globally. The vulnerability tracked as [CVE-2023-34362](https://nvd.nist.gov/vuln/detail/CVE-2023-34362) enabled unauthorized malicious actors to access and copy personal health information files.
### Exploitation
The attackers, exploiting this zero-day vulnerability, accessed the MOVEit FTP Server. The affected server was subsequently decommissioned, and file transfer operations ceased until the system's safety could be ensured. It is crucial to highlight that the BORN Information System (BIS) was not compromised during this breach.
## Data Exposed
The breach impacted files being transferred through MOVEit, potentially compromising the personal health information of approximately 3.4 million individuals. These individuals primarily include those who had sought prenatal or pregnancy care and newborns between January 2010 and May 2023. The exposed data includes:
- Full names
- Home addresses
- Postal codes
- Dates of birth
- Health card numbers
Depending on the type of care received, additional clinical information such as dates of service, lab test results, pregnancy risk factors, type of birth, procedures, and pregnancy and birth outcomes may have been exposed.
## Extent of Impact
To put the scale of this breach into perspective, it affected 1.4 million individuals seeking prenatal or pregnancy care and 1.9 million newborns and children. The impact is substantial, and it raises concerns regarding patient privacy and data security.
## Response and Mitigation
BORN Ontario took immediate action to mitigate the breach's impact and prevent further unauthorized access. Here are some of the critical steps taken:
### Isolation and Containment
The affected server was isolated and taken offline to prevent further exploitation.
### Investigation
Third-party cybersecurity experts were engaged to conduct a thorough investigation into the breach's scope and nature.
### Law Enforcement and Reporting
BORN Ontario reported the incident to law enforcement agencies and the Privacy Commissioner of Ontario, ensuring that relevant authorities were informed.
### Data Partners Collaboration
BORN Ontario collaborated with data partners to address the breach's consequences and identify the individuals affected.
## The MOVEit Zero-Day Vulnerability
The specific details of the zero-day vulnerability in MOVEit Transfer have not been disclosed publicly. However, cybersecurity firm Rapid7 suggests that it is a SQL injection vulnerability leading to remote code execution.
### Attack Vector
This vulnerability allowed attackers to execute arbitrary code remotely, potentially gaining control over the affected systems.
### Affected Systems
Rapid7's research indicates that approximately 2,500 MOVEit Transfer servers are exposed, primarily in the United States. All compromised systems were found to have a webshell named 'human2.asp,' located in the public HTML folder.
### Exploitation Details
When accessed with the correct password, this webshell allowed attackers to execute various commands, including:
- Retrieving lists of stored files, their uploaders, and file paths.
- Creating and deleting MOVEit Transfer users.
- Accessing information about the Azure Blob Storage account, potentially enabling data theft from the victim's Azure Blob Storage containers.
## Patching and Mitigation
Progress Software has released patches to address the zero-day vulnerability for various MOVEit Transfer versions. Organizations using this software should apply the relevant patch immediately. Until then, they should follow specific mitigation steps.
### Port Blocking
To prevent exploitation, administrators are advised to block external traffic to ports 80 and 443 on the MOVEit Transfer server. However, this may affect some functionalities, including web UI access.
### Forensic Analysis
Organizations that have been breached should conduct a thorough forensic examination to determine if data was stolen or systems compromised.
## Threat Landscape
The MOVEit zero-day vulnerability has resulted in mass exploitation and data theft. The attacks began on May 27, 2023, during the long US Memorial Day holiday when security monitoring was reduced. This attack is reminiscent of previous incidents involving managed file transfer (MFT) platforms.
### Potential Extortion
While extortion has not yet begun, organizations affected by this breach should prepare for the possibility of extortion and the publication of stolen data.
## Conclusion
The BORN Ontario data breach serves as a stark reminder of the ever-evolving threat landscape in the cybersecurity domain. A critical vulnerability in widely used software can have far-reaching consequences, affecting millions of individuals and organizations.
In response to this incident, swift action was taken to contain the threat, investigate the breach, and inform the relevant authorities. The release of patches and mitigation steps is a positive step towards preventing further exploitation of the MOVEit vulnerability.
As the investigation unfolds, the cybersecurity community closely monitors the situation for any signs of data misuse or extortion attempts. This incident underscores the need for constant vigilance and robust cybersecurity measures to protect sensitive data in an increasingly digital world.