Clop ransomware crew sets June extortion deadline for MOVEit victims
Plus: The Feds weigh in with advice, details
Clop, the ransomware crew that has exploited the MOVEit vulnerability extensively to steal corporate data, has given victims a June 14 deadline to pay up or the purloined information will be leaked.
Organizations including British Airways, the BBC, and the Boots pharmacy chain in the UK have had their employees' records stolen by the Russian gang via the software flaw. It's feared thousands if not tens of thousands of workers have had their personal info swiped.
Crucially, to steal the data, Clop exploited a deployment of MOVEit used by payroll services provider Zellis; British Airways et al are customers of Zellis, so when Clop broke into the payroll company's IT systems, the miscreants were able to snatch valuable employee data belonging to a host of orgs. That makes this whole fiasco a significant supply-chain attack.
Meanwhile, Toronto's Michener Institute has said it was the target of a "cybersecurity incident." Infosec watcher Dominic Alvieri named the school as a Clop victim, and added that the extortionists have moved their payment deadline for victims from June 12 to the 14th.
Additionally, the Canadian province of Nova Scotia today said its health authority and IWK Health Centre was also hit via the MOVEit hole.
For Nova Scotia and all other public agencies in the grip of the extortion ring, Clop added a note: "If you are a government, city, or police service, do not worry, we erased all your data."
We take that to mean the crew has deleted its copies of that stolen data. Of course, it should go without saying: these are criminals, so taking them at their word isn't a good idea.
Developed by Progress Software, MOVEit is a suite of client apps and server-side software used in healthcare to finance, and is supposed to make it easy for colleagues to share documents and upload files. A critical vulnerability in a web-facing portion of the code came to light last Thursday; the flaw can be exploited to seize control of a MOVEit deployment, steal its data, and carry out other wrongdoing. All a thief has to do is be able to reach a MOVEit Transfer installation over the network or internet, and know how to abuse the security bug.
Almost immediately security researchers began warning that criminals had been mass exploiting MOVEit's SQL-injection vulnerability for at least a month to break into IT environments and exfiltrate documents. At the time, the bug didn't have a patch or a CVE.
Over the weekend, Microsoft blamed Clop for the extortion attempts, and the miscreants themselves confirmed to Reuters they were responsible for the security breaches: "It was our attack," and victims who refused to pay would be named on the gang's website. The group did not immediately respond to a request for more details.
- Deployed publicly accessible MOVEit Transfer? Oh no. Mass exploitation underway
- British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack
- Identity thieves can hunt us for 'rest of our lives,' claims suit after university data leak
- Criminals spent 10 days in US dental insurer's systems extracting data of 9 million
Also today, the FBI and CISA released a joint advisory about Clop in response to the exploitation, providing indicators of compromise and mitigations that organizations can implement to limit any damage caused by intrusions.
"Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases," the Feds explained.
As of last week, Rapid7 said it had spotted about 2,500 instances of MOVEit Transfer exposed to the public internet, most of which belong to US customers.
Progress Software claimed its customer base spans "thousands of enterprises, including 1,700 software companies and 3.5 million developers." It did not respond to The Register's inquiries into how many customers are likely affected by the flaw, and how many have been compromised. ®