HIPAA Clicks

A zero-day vulnerability in the MOVEit file transfer service (CVE-2023-34362) started to be exploited by a cyber threat actor at scale over the Memorial Day weekend. Progress Software issued an advisory about the vulnerability on May 31, 2023, and rapidly released patches to fix the flaw, but not in time to prevent mass exploitation of the vulnerability. Remote exploitation of the flaw allowed access to be gained to the MOVEit server database, providing access to customer data.

A few days later, several major companies confirmed they had been impacted by the attacks, including the airlines British Airways and Aer Lingus, the UK drugstore chain Boots, the University of Rochester in New York, and the Nova Scotia provincial government, which had all fallen victim and had data exfiltrated through their payroll and HR service provider, Zellis. Nova Scotia Health has confirmed that the personal information of up to 100,000 employees was stolen in the attack.

The Clop ransomware gang and associated FIN11 threat group were suspected of involvement in the mass exploitation of the vulnerabilities as they had previously targeted vulnerabilities in file transfer solutions, exploiting zero-day vulnerabilities in the Accellion FTA and Fortra’s GoAnywhere MFT. Microsoft, Mandiant, and others attributed the attacks to Clop/FIN11, with Microsoft attributing the attacks to a Clop affiliate it tracks as Lace Tempest, and Mandiant attributed the attacks to a newly created threat cluster it tracks as UNC4857, also linked to Clop/FIN11. Mandiant confirmed to The HIPAA Journal that it has seen evidence of data exfiltration at multiple companies and that targeted applications were infected with a webshell called LEMURLOOT. Shodan scans revealed more than 2,500 instances of MOVEit software are exposed to the Internet and Censys reported more than 3,000 hosts running the service, all of which were potentially vulnerable.

Clop Ransomware Group Claims Responsibility for the Attacks

Around a week after the news broke about the exploits, the Clop ransomware gang claimed responsibility for the attacks and confirmed that ransom demands had been issued along with threats to release the stolen data if the ransoms are not paid, giving breached firms until June 14 to pay up or face data exposure. While the Clop group uses ransomware, these attacks involved data theft and exploitation without encryption, as was the case with the attacks on the Accellion FTA and GoAnywhere MFT.

On June 7, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint security advisory and provided a list of recommended mitigations to reduce the impact of Clop exploits. A few days earlier, on June 2, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert, warning that the health and public health sector was potentially at risk from the vulnerability.

The number of victims has yet to be determined, and in contrast to the GoANywhere MFT attacks, the Clop group has not publicly stated how many attacks were conducted but did say it was in the hundreds. The scale of the attacks should start to become clearer from June 14 if Clop is true to its word and starts publishing stolen data, although it may take several weeks or months before the full extent of the exploitation of the vulnerability is known.

Clop May Have Known About Vulnerability for 2 Years

Cybersecurity firm GreyNoise reports that it traced scanning activity associated with the vulnerability to March 3, 2023, and security experts at Kroll said they found evidence to indicate Clop was testing ways to exploit the vulnerability and obtain data in April 2023; however, they also found evidence of similar manual activity related to the exploit as early as July 2021, suggesting the Clop actors have known about the vulnerability for almost two years. The researchers suggest they waited until they had the automation tools available to allow exploitation at scale.

The post Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms appeared first on HIPAA Journal.

HIPAA Clicks

Daily HIPAA News, HIPAA RSS Feeds, HIPAA Information

Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 11 to Pay Ransoms

Clop Ransomware Group Claims Responsibility for the Attacks

Clop May Have Known About Vulnerability for 2 Years

HIPAA Compliant Video Conferencing Market Research Report … – KaleidoScot

FTC Proposes Health Breach Notification Rule Amendments – Lexology

Register now: St. Joseph’s Hospital to host free Junior Nursing … – My Buckhannon

ANOTHER OPINION: HIPAA rules confuse Hoosiers | Opinion … – Goshen News

Ostendio, Congruity 360, DriveStrike, LifeOmic, Azalea Health … – KaleidoScot

Editorial: HIPAA rules confuse Hoosiers | Editorials | tribstar.com – Terre Haute Tribune Star

SecureMyResearch’s rapid adoption in 2021: IU News – IU Newsroom

Introducing SecureMyResearch: IU News – IU Newsroom

Latest News from Around the Web

Categories