Cl0p’s MOVEit Attack Tally Surpasses 2,000 Victim Organizations

Cyber Security Threat Summary:
The number of victim organizations hit by Cl0p via vulnerable MOVEit installations has surpassed 2,000, and the number of affected individuals is now over 60 million. The victim organizations are overwhelmingly based in the US. “The most heavily impacted sectors are finance and professional services and education, which account for 13.8 percent and 51.1 percent of incidents respectively,” Emsisoft researchers have shared on Monday” (Help Net Security, 2023). These numbers come from links to data breach notification alerts issued by victim organizations.

Most recently, the Better Outcomes Registry & Network (BORN) announced they were impacted by Cl0p. The Ontario-based perinatal, newborn and child registry issued a data breach notice in late March. The breach contained personal health information for around 3.4 million people.

Security Officer Comments:
The MOVEit vulnerability based attacks carried out by Cl0p will likely break all cyber attack records from a monetary perspective. The extortion gang was able to exploit a SQL injection vulnerability tracked as CVE-2023-34362 in MOVEit file transfer solutions, using it to compromise thousands of exposed installations and access the underlying database.

The MOVEit platform is commonly used by many government and financial institutions as well as private and public organizations. While we will never know the full scope of the attacks, the volume of victims as the result of this vulnerability has surpassed 2,000. Because some of the impacted organizations provide services to multiple other organizations, this number could grow even larger. According to Emsisoft, “It should be noted that there will invariably be some overlap in terms of individuals impacted. Some organizations had MOVEit exposure via multiple vendors, which means the customers of those organizations will likely have had multiple exposures too.”

Cl0p moved quickly to steal data from impacted victims, later leaking stolen data to their leak site and contacting victims with ransom demands. The sheer volume of victims was alarming, as we saw Cl0p take the top spot of ransomware attacks in terms of number of victims. The group had always been fairly prolific, but this exponential increase in number of attacks put them far ahead of other ransomware activities.

Suggested Correction(s):
Zero days can be tough to mitigate depending on what type of device or piece of software is susceptible. The time gap between the production, release, and deployment of a patch and vulnerability disclosure is the most critical aspect of zero vulnerabilities or anyone for that matter.

An attacker can leverage a vulnerability from when it's known until systems are patched, which is why vulnerabilities must be responsibly disclosed to vendors. Unfortunately, until development teams release a patch or effective mitigation, there is not much companies can do to prevent attackers from leveraging unpatched systems, especially those exposed to the internet - aside from taking them offline entirely.

A disconnect can significantly impact business functions which is why those who fill IT Leadership roles must communicate the possible implications, risks, and overall impact to business leaders so decisions can be made that favor all aspects of the business totality.

Applying defense-in-depth strategies and zero-trust can significantly assist in preventing the exploitation of zero-days. Still, it may not contain a full-blown attack depending on the severity and type of exploit possible.