The Cl0p ransomware group has listed more victims on its leak site, adding a growing list of victim organizations in the MOVEit hack campaign.
On June 14, 2023, the Cl0p group revealed the first batch of 12 victims, followed by more victims. The Cyber Express recently reported about the geographical location of these victims, wherein the majority of the named victims are from the United States, while others hail from Switzerland, Canada, Belgium, and Germany.
List of MOVEit hack victims, more to be expected
- US Department of Energy
- Minnesota Department of Education
- UK’s telco regulator Ofcom
- Canadian province Nova Scotia’s health authority
- British Airways
- Boots pharmacy chain
- Johns Hopkins University
- Johns Hopkins Health System
- Tesco Bank
- Delaware Life Insurance
- Aer Lingus
- 1st Source
- First National Bankers Bank
- Putnam Investments
- Landal GreenParks
- U.K.-based energy giant Shell
- National Student Clearinghouse
- United Healthcare Student Resources
- Leggett & Platt
- University System of Georgia (USG).
- The Government of Nova Scotia
- Ernst and Young
- Illinois state government
- Minnesota state government
- Missouri state government
- Hennepin Technical College
- Perham School District
- The Illinois Department of Innovation and Technology (DoIT)
The group first issued a warning on June 6, 2023, informing the victims that they had one week to initiate negotiations or face the consequences of public exposure and data leakage on Cl0p’s data-leak site, known as CL0P LEAKS.
MOVEit hack encompasses several sectors and nations
The targeted sectors in the MOVEit hack vary, with manufacturing being the most prominent industry among the victims, followed by technology and healthcare providers. However, as the situation unfolds and more victims are named, the list of target sectors is expected to evolve.
Since the initial announcement, the Cl0p ransomware group has expanded its list of victims. At the time of writing, roughly 30 organizations have been named, with 14 new additions.
Among the newly listed victims are notable entities such as the US Department of Energy, Minnesota Department of Education, and more.
These organizations span various industries, with a predominant presence in financial services, followed by healthcare, pharmaceuticals, and technology. The list of victim organizations has been published on Cl0p’s dark-web data-leak site, >CLOP^-LEAKS.
The MOVEit Transfer hack victims now face the daunting task of recovering from this cyber attack, which can have severe consequences, including financial losses, reputational damage, and potential legal implications.
Meanwhile, patching in progress
Progress Software, the maker of file-sharing software MOVEit Transfer, has issued a third warning about vulnerabilities in its product.
Following the initial patch, the company discovered similar programming flaws and issued a second patch. This was done proactively to prevent potential exploitation by the hackers. The software’s code was thoroughly examined, and additional bugs were fixed to enhance security.
Despite these efforts, a third-party recently publicly disclosed a new SQL injection vulnerability, leading Progress Software to temporarily disable HTTP and HTTPS traffic for MOVEit Cloud. Customers are advised to immediately disable HTTP and HTTPS traffic to safeguard their environments until the patch is finalized.
To address the situation, Progress Software has provided instructions to customers. They recommend modifying firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443. This step is crucial for preventing further exploitation of the vulnerabilities.
During this period, certain functionalities will be affected, such as the inability to log into the MOVEit Transfer web UI, non-functioning MOVEit Automation tasks, and disabled REST, Java, and .NET APIs. However, SFTP and FTP/s protocols will continue to work as usual.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.