Known Victims Now Include New York City Schools, UCLA and Multiple PBI Customers
The tally of organizations affected by the Clop ransomware group’s supply chain attack against users of Progress Software’s popular MOVEit file transfer software continues to grow.
“As of today, 108 organizations including seven U.S. universities have been listed by Clop and/or disclosed being impacted by MOVEit,” Brett Callow, a threat analyst at Emsisoft, tweeted late Monday.
Clop’s campaign exploited a zero-day vulnerability in the MOVEit file transfer software to steal data. A majority of the attacks appear to have been launched on May 27 and May 28, apparently timed to coincide with the long Memorial Day holiday weekend in the United States.
Progress first released an alert and mitigation advice about the campaign on May 31, followed by a patch on June 2. As of June 15, Progress had patched two more zero-day vulnerabilities, although these don’t appear to have been exploited by criminals.
Prior to the initial zero-day vulnerability being patched, attackers stole data from victim organizations, comprising personal information for millions of individuals. Clop quickly claimed credit for the attacks. While the group has used crypto-locking malware against past targets, its MOVEit campaign only appears to involve data exfiltration. This also was the case with the group’s zero-day campaign earlier this year targeting users of the GoAnywhere file transfer software.
More Victims Come to Light
MOVEit counts thousands of users worldwide, and more victims may well still come to light. “We leak names slowly to give big companies time to contact us,” Clop says on its data leak site. Many ransomware groups list victims on these sites who haven’t paid a ransom, to try and pressure them into paying.
Clop on Monday listed UCLA as one of its MOVEit victims. What the ransomware group stole remains unclear.
On Saturday, New York City reported that cybercriminals had stolen personal information pertaining to approximately 45,000 students, as well as staff members and service providers.
While the city’s probe is ongoing, its Department of Education said in a data breach notification that “roughly 19,000 documents were accessed without authorization,” which exposed 9,000 Social Security numbers and an unspecified number of employee ID numbers.
“Individuals will be offered access to an identity monitoring service,” the city said. Both the FBI and New York Police Department are investigating the attack.
Other known victims of Clop include oil and gas giant Shell, the government of Canadian province Nova Scotia, British payroll provider Zelle – and by extension eight of its customers, including the BBC, the Boots pharmacy chain and British Airways – and the U.S. Department of Energy, among many others.
A group of Louisiana residents whose personal details were exposed when the state’s Office of Motor Vehicles fell victim have filed a lawsuit against Progress Software in federal court, seeking class action status.
Service Provider Customers Affected
PBI Research Services, which helps financial services firms identify policyholders who have died and locate beneficiaries, also fell victim. Attackers stole data stored on behalf of its customers.
The data theft has led to multiple breach notifications from PBI customers, including Genworth Financial, which reported that attackers had stolen from PBI personal information for up to 2.7 million of its customers and agents. PBI uses the California Public Employees’ Retirement System, which manages the largest public pension fund in the U.S. It said nearly 770,000 members’ personal information had been stolen from PBI. Wilton Reassurance Co. reported that personal information for 1.5 million customers, including their Social Security numbers, had been stolen.
Some of the organizations that have reported falling victim to the MOVEit attacks may never see their stolen data listed by Clop. The group has been bending over backward to claim that any government data it steals is quickly deleted, and on its data leak site it claims that it has a purely financial – not political – agenda.
Clop claims that as part of the MOVEit campaign, it has deleted government data it stole from 30 organizations, including government agencies. The Russian-speaking ransomware group could of course have already sold anything of interest to foreign intelligence services.