The biggest hack of 2023 is far from over. Months after MOVEit, a popular file-transfer software, suffered a series of high-profile cyberattacks, more victims are coming out about having their information compromised.
However, this might not be the full picture – it’s estimated that the coming months might reveal tens of millions more victims.
The MOVEit hack is more than just a cyberattack campaign. It is a series of related cyberattacks that still continue to claim more victims long after the vulnerability in the file-transfer software was reportedly patched.
Over 60 Million Victims and Counting
The hack took place in May after the “Clop” data extortion gang managed to carry out the mass exploitation of vulnerabilities in MOVEit systems.
Data belonging to a vast array of businesses and government organizations were compromised in the MOVEit hack. These included the likes of Shell, British Airways, and the United States Department of Energy.
On October 2, Progress Software released fixes for two more critical-rated vulnerabilities in the software.
According to the latest reports by security vendor Emsisoft, the number of known victim organizations has already crossed the 2,000 mark. As many as 62,054,613 individuals have been affected already, and many more are likely to follow.
Progress Software, the company behind MOVEit, patched out the vulnerability exploited by the hackers near the end of May.
While the adoption of the patch finally brought the attacks to a halt, the “Clop” cybercriminal gang had already carried out a massive heist of sensitive information. The actual extent of the devastating campaign continues to come into view months after it occurred.
Ontario’s government birth registry, BORN Ontario, revealed last week that it was the victim of a MOVEit-related attack earlier this year. Hackers have reportedly stolen sensitive personal data from 3.4 million people, which include 2 million babies, expectant parents, and people seeking fertility care. As stated by BORN Ontario, the compromised information spans over a decade, dating from January 2010 to May 2023.
I don’t think we’re done hearing about this by any means. We’re going to keep seeing that rolling disclosure over probably the next few months.Emily Austin, a senior researcher and security research manager at Censys
She also added that the affected companies are carrying out investigations of their own and notifying affected customers.
A Software Supply Chain Security Crisis
As pointed out by Austin, two versions of the MOVEit service were vulnerable – MOVEit Cloud, the cloud service, and MOVEit transfer, the local version of the software run by organizations on their premises.
The issue, however, is that not all the victim organizations were directly using MOVEit.
In 2020, Clop exploited flaws in Accellion networking equipment to launch a massive data extortion campaign.
Rather, they had contracted a vendor or collaborated with a third party that uses the file transfer service, rendering their data vulnerable. Hackers stole whatever data they could access on compromised MOVEit systems, which in some cases included information from several organizations.
MOVEit and similar centralized data repositories have turned into attractive targets for cybercrime groups like Clop. Earlier this year, the gang claimed to have breached more than 100 organizations by exploiting the GoAnywhere file transfer tool.
However, Clop claims to hold zero information on government, city, or police services. “We are only financially motivated”, the gang wrote in a post on its dark web leak site, adding that it would do the polite thing” and delete all government-related data.
Read the full article here