The dramatic fallout continues in the mass exploitation of a critical vulnerability in a widely used file-transfer program, with at least three new victims coming to light in the past few days. They include the New York City Department of Education and energy companies Schneider Electric and Siemens Electric.
To date, the hacking spree appears to have breached 122 organizations and obtained the data of roughly 15 million people, based on posts the crime group has published or victim disclosures, Brett Callow, a threat analyst at the antivirus company Emsisoft, said in an interview.
Microsoft has tied the attacks to Clop, a Russian-speaking ransomware syndicate. The hacks are all the result of Clop exploiting what had been a zero-day vulnerability in MOVEit, a file-transfer service that’s available in both cloud and on-premises offerings.
The first signs of the exploitation spree occurred on May 27. Four days later, MOVEit provider, Progress, patched the vulnerability, which is tracked as CVE-2023-34362. The zero-day stemmed from a SQL injection. These are among the oldest forms of vulnerability and are the result of poor coding practices that are preventable. Even after Progress issued the fix, some MOVEit users continued to get hacked because they hadn’t yet installed it on their networks.
Among the first confirmed victims were payroll service Zellis and the Canadian province of Nova Scotia. Zellis customers British Airways, the BBC, Aer Lingus, Ireland’s HSE, and UK retailer Boots were all known to have had data stolen through the breach of the payroll service. Other victims soon came to light, including two Department of Energy entities, the US states of Missouri and Illinois, the American Board of Education Extreme Networks, and Ofcam.
Driver license data for millions of Oregon and Louisiana citizens have also been stolen in the attacks. CNN has reported that the Department of Agriculture may also be affected.
Shoes keep dropping
On Tuesday, the Clop site named Siemens Electric as another victim, and shortly after that, it was widely reported, company officials confirmed its systems had been breached in the Clop campaign.
“Based on the current analysis, no critical data has been compromised and our operations have not been affected,” a Siemens Electric representative told news outlets, including Cyberscoop. “We took immediate action when we learned about the incident.” Attempts by Ars to reach Siemens Electric weren’t successful.
Clop named Schneider Electric as another victim. In an email, a Schneider Electric official wrote: “On May 30th, 2023, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software. We promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely.”
On Saturday evening, the head of New York City’s Department of Education came forward to say that it, too, had been hit in the Clop campaign.
“Review of the impacted files is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, were affected,” Emma Vadehra, chief operating officer for the department, wrote. “Roughly 19,000 documents were accessed without authorization. The types of data impacted include Social Security Numbers and employee ID numbers (not necessarily for all impacted individuals; for example, approximately 9,000 Social Security Numbers were included).”
Clop is a Russian-speaking group that’s among the most prolific and active ransomware actors. The threat actor recently mass-exploited CVE-2023-0669, a critical vulnerability in a different file-transfer service known as GoAnywhere. That hacking spree also claimed more than 100 organizations, including data security company Rubrik, and Community Health Systems of Franklin, Tennessee. The hack of Community Health Systems, one of the biggest hospital chains, allowed Clop to obtain health information for 1 million patients.