The MOVEit victim list seems to be growing consistently, with the latest additions being the US Department of Energy and several other federal bodies. The US Cybersecurity and Infrastructure Security Agency (CISA) is working closely with the FBI and Progress Software to understand the full extent of the breach. On the civilian side, the Johns Hopkins University and Johns Hopkins Health System also disclosed that its data was compromised in the same wave of attacks as on June 16.
CISA officials declined to note exactly which government agencies were breached. However, the Department of Energy disclosed its breach on June 15. However, the threat actors are reportedly staying true to their word of deleting and not publishing government data. Additionally, Jon Easterly, director of CISA, claims that “this is not a campaign like Solarwinds” because it doesn’t pose a “systemic risk” to the country’s national security or networks.
Clop had set a June 14 deadline for corporate victims to either pay a ransom or their data would be leaked. According to ReliaQuest analysts, 27 American and European organisations have been identified as victims, but we’re yet to see any stolen data leaked publicly. The first set of victims included the BBC, British Airways and Boots, among other companies.
On the other hand, the new vulnerabilities discovered by Progress in its MOVEit suite of programs seem to be getting active attention. The more dangerous of the two is a set of SQL injection vulnerabilities tracked collectivity as CVE-2023-35036. A PoC exploit for the vulnerability is already in the works as Progress issues a warning detailing the vulnerability and mitigation steps users can take to avoid exposure.
Although the ransomware gang is believed to be based in Russia, with both the CISA and FBI blaming Clop for the attacks, a CISA official said there’s no evidence of Russia and Clop collaborating on the MOVEit hacks. We’re yet to see the full global impact of the attack as waves of new victims, vulnerabilities, exploits and PoCs are coming out. Still, victims are informing customers, staff, and, in some cases, patients that their private data may have been affected or stolen.