Clop, a Russian-speaking ransomware gang continues to exploit a zero-day vulnerability discovered in the file-transfer software MOVEit, the victim tally has climbed from a dozen to over 100 organizations this past month. Sensitive information is compromised, including from schools, municipalities, airlines, financial institutions, pension organizations, and even a Department of Energy (DOE) contractor charged with disposing of radioactive waste. UCLA, Siemens Energy, and AbbVie (one of the world’s largest biochemical companies) are among the recently revealed victims.
UCLA’s IT security team discovered the flaw and “immediately activated its incidence response procedures, fixed the vulnerability using the security patch issued by Progress Software, and enhanced monitoring of the system,” a spokesperson told The Record. Siemens confirmed that it was targeted, but early analysis suggests no critical data was compromised.
Although The Record received no official statement from AbbVie, an anonymous source confirmed the company was impacted by the hack and investigating what data was accessed.
Clop Might Have Tested MOVEit Flaw Since 2021
Kroll security experts, upon analyzing logs of compromised computer networks from the recent Clop ransomware attacks targeting MOVEit vulnerabilities, found malicious activity “matching” previously used methods used by Clop.
“Kroll’s review of Microsoft Internet Information Systems (IIS) logs of impacted clients found evidence of similar activity occurring in multiple client environments last year (April 2022) and in some cases as early as July 2021,” according to Bleeping Computer.
Millions of Americans’ Personal Data at Risk
The gang claims to have breached over 200 organizations worldwide and the hacks in the U.S. are believed to put the personal information of millions of Americans at risk.
This includes millions of Oregon and Louisiana state IDs as well as data of 45,000 New York City students, including social security numbers and birth dates.
Personal information of several million more Americans was discovered to have been compromised on June 22, when the largest U.S. pension fund in the U.S., California’s Public Employees Retirement System Calpers, and insurer Genworth Financial revealed they were victims of the breach, according to Reuters.
Both claimed they fell victim to the MOVEit security flaw from a third-party vendor called PBI Research Services, which provided the path for Clop hackers to steal custom data. Calpers said PBI alerted it of the breach that allowed hackers to download “our data”, which includes information on nearly 800,000 retirees and beneficiaries.
Genworth Financial was hit even harder: an estimated 2.5 million to 2.7 million customers had their data stolen.
Class-action Lawsuit Surfaces
Progress Software Corp., (PSC) the creators of MOVEit, “failed in its duty to protect sensitive information in connection with a data breach of the MOVEit cloud-hosting and file-transfer services it provides to government agencies and private companies,” according to a new proposed federal class action cited by Bloomberg Law.
Plaintiffs claim that the company failed to use proper security measures, adequately train its employees, or notify victims of the flaw/risk of breach in a timely manner.
According to the formal complaint, information exposed in the breach included names, addresses, Social Security numbers, driver’s license numbers, birthdates, demographic information and other person and financial information.
PSC has not started the process of notifying individual victims, but the Louisiana Office of Motor Vehicles has begun alerting millions of victims, including anyone who has a state-issued driver’s license, ID, or car registration.
The first lawsuit to surface after Clop utilized the flaw found in PSC software brings claims of “negligence, breach of third-party beneficiary contract, unjust enrichment, and declaratory judgement,” according to Bloomberg. “The plaintiffs are seeking actual damages, statutory damages, equitable relief, restitution, disgorgement, attorneys’ fees, lifetime credit-monitoring services and injunctive relief.”
Nuclear Waste Facilities Compromised
The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that several government agencies were also victims of the global cyberattack.
The growing list of impacted organizations includes DOE contractors specializing in nuclear waste disposal and scientific education.
The Water Isolation Pilot Plant located in New Mexico and charged with disposal of defense-related radioactive nuclear waste as well as the Tennessee-headquartered DOE contractor Oak Ridge Associated Universities both received ransom demands via email, after sensitive data was compromised from the MOVEit security flaw.
The DOE, which manages U.S. nuclear weapons and nuclear waste sites notified Congress of the breach and is participating in investigations with law enforcement and CISA, according to VOA.
All this surfaced after Clop claimed it wouldn’t exploit data from governments, military, and children’s hospitals.
The ransomware gang didn’t respond to VOA’s request for comment but did post a few days later in all-caps: “WE DON’T HAVE ANY GOVERNMENT DATA,” and claimed that if they had inadvertently picked-up any government information, they would “STILL DO THE POLITE THING AND DELETE IT ALL.”
Experts believe they are likely making a big deal of such claims in an attempt to dodge US government retaliation. (However, that move isn’t working.) Meanwhile, it’s unlikely anyone in the security community took the group’s data destruction claim seriously, Alan Liska, a Recorded Future analyst told VOA. “Everybody in the security community was like, ‘Yeah, right. You probably gave it to your Russian handlers.”
Assess Your Cybersecurity Immediately
Are you wondering where your organization stands with regard to cybersecurity measures? Do you have an established incidence response procedure? Are you tired of wading through endless telephone prompts before you can receive assistance with your security concerns? Horizon Helix is the answer. Call us today for a free assessment of your cybersecurity.
