Dive Brief:
- Clop named a dozen victim organizations on its data-leak website Wednesday after the deadline for those compromised by the MOVEit vulnerabilities to contact the prolific ransomware group expired, ReliaQuest analysis shows.
- Last week, Clop, taking credit for exploiting Progress Software's MOVEit file-transfer service, set a deadline for victims to contact the group and begin negotiations to pay a ransom. If an organization did not pay, Clop threatened to name, shame and leak the targeted organization's data on its leak site, according to the threat research team at ReliaQuest.
- The majority of the named organizations stem from the U.S., but others were based in Switzerland, Canada, Belgium and Germany, ReliaQuest said. Thus far, Clop has not leaked stolen data.
Dive Insight:
On its leak site, Clop bills itself as one of the top organizations offering after-the-fact penetration testing. Its compromise claims have put the security industry on notice as thousands of organizations may have been exposed to the MOVEit vulnerabilities.
"Clop held true to its word and started posting victim names on its dark web leak site on Wednesday," said Rick Holland, CISO, Office of the CISO at ReliaQuest, in emailed comments. And there's evidence the group has scaled its operations since the GoAnyWhere exploit campaign earlier this year.
In the first week of the GoAnyWhere campaign, Clop posted seven victim organizations, Holland said. "If history repeats itself, the group is just getting started. On a single day in March, it posted over 50 GoAnywhere victims. Time will tell if Clop continues to operate similarly, but I expect many more companies to be listed in the coming days and weeks."
Emsisoft Threat Analyst Brett Callow offered a similar sentiment: Clop has claimed that hundreds of organizations were impacted by MOVEit.
"If that’s correct, it’s not at all surprising they’re staggering things in order to avoid having more simultaneous negotiations than they can handle," Callow said.
Now, it's a bit of a waiting game to see what happens next. While the first batch of victims was released, one organization was removed from its ransom list in place of another, ReliaQuest said. It’s unclear why, Holland said, but there is the possibility that the victim organization began negotiations.
Progress disclosed the first MOVEit vulnerability, CVE-2023-34362, on May 31 and last week identified additional vulnerabilities, tracked under CVE-2023-35036.
With several vulnerabilities disclosed publicly, ReliaQuest raised the potential of similar supply-chain attacks from Clop in the next three to 12 months.
Before the first vulnerability was disclosed or patched, Censys found more than 3,000 MOVEit hosts were exposed to the internet. And risk analysis firm Kroll has pushed the timeline of the CVE-2023-34362 back nearly two years, citing evidence that Clop began experimenting with ways to exploit it as early as July 2021.
Traditionally, Clop has named past victims to its leak site from the manufacturing, technology and healthcare sectors, ReliaQuest said. Those potentially exposed to the MOVEit vulnerabilities closely align with those sectors.
Censys research found that, of the MOVEit hosts publicly exposed to the internet, 31% are in the financial sector, 16% in healthcare, 9% in IT, and 8% in government and military. Nearly three-quarters of the hosts are based in the U.S., Censys found.
MOVEit victims that have already come forward include the states of Illinois and Missouri, Minnesota’s Department of Education, the U.K.’s communications regulatory agency Ofcom and Extreme Networks.
Clop has many more "business opportunities," Holland said, so it will take time to work through the list. Holland also noted Clop's website was offline Wednesday night, but was back Thursday, "possibly due to the number of companies, researchers, and law enforcement agencies accessing it.”
