Dive Brief:
- Cybersecurity experts are on high alert as the deadline set by Clop, the prolific ransomware actor responsible for widespread exploitation of zero-day vulnerabilities in Progress Software’s MOVEit file-transfer service, expires Wednesday.
- Clop, which is responsible for two of three high-profile file transfer service supply chain attacks this year, claims it stole data from hundreds of organizations, including British Airways and the BBC, and set a deadline for victims to make contact.
- Multiple organizations have disclosed they were compromised as a result of the attacks, but threat analysts expect many additional victims to come forward. More than 3,000 MOVEit hosts were exposed to the internet before the first vulnerability was disclosed or patched, according to Censys.
Dive Insight:
Risk analysis firm Kroll is pushing the timeline for the vulnerability back years, with its assertion Clop knew about and was experimenting with ways to exploit one of the vulnerabilities in MOVEit as early as July 2021.
Clop also exploited the vulnerability in MOVEit and stole data before Progress released a patch, effectively making every customer with a database publicly exposed to the internet vulnerable and potentially compromised.
Among the organizations with MOVEit hosts publicly exposed to the internet, 31% are in the financial sector, 16% in healthcare, 9% in IT, and 8% in government and military, according to Censys research released Tuesday.
Nearly one-third of companies Censys observed have more than 10,000 employees and more than two-thirds of all MOVEit hosts are based in the U.S.
Some of the latest victims to come forward include the states of Illinois and Missouri, Minnesota’s Department of Education, the U.K.’s communications regulatory agency Ofcom and Extreme Networks.
Mandiant Consulting CTO Charles Carmakal cautioned that Clop will likely get more overwhelmed and erratic as its deadline approaches. The threat actor began initiating contact with some victim organizations on Friday, Carmakal said in a LinkedIn post.
“We haven’t observed any lateral movement on any of the MOVEit systems we’ve analyzed so far,” Carmakal said.
Progress estimates MOVEit Transfer and MOVEit Cloud accounted for less than 4% of its annual revenue, according to an 8-K filed with the SEC on May 30.
The vendor continues to encourage on-premises customers of MOVEit to apply the patches immediately.
The Cybersecurity and Infrastructure Security Agency, CrowdStrike, Mandiant, Microsoft, Huntress and Rapid7 are all assisting Progress with incident response and ongoing investigations.
“In an effort to increase the security of the MOVEit platform and its customers, we are partnering with third-party cybersecurity experts to conduct additional detailed code reviews,” Progress said in a Tuesday blog post.