2023 has witnessed a relentless wave of interconnected Cyber attacks, causing consequences like a data breach, that has left countless victims in their wake.
This ongoing saga, rather than a single isolated incident, has been orchestrated by a cybercriminal group that keeps growing, affecting potentially tens of millions of people. What’s even more concerning is that many may never even realize the extent of the damage inflicted upon them.
The MOVEit Data Breach Saga Unfolds
Since May, a mass exploitation campaign targeting a vulnerability in the widely used file transfer software MOVEit has been wreaking havoc across the digital landscape.
Cyber criminals have capitalized on this vulnerability to steal sensitive data from a wide array of businesses and government organizations, including major names like Shell, British Airways, and the United States Department of Energy.
Although the flaw was patched by Progress Software, the owner of MOVEit, at the end of May, the damage had already been done. Months later, we are still grappling with the full extent of the fallout.
Recently, Ontario’s government birth registry, BORN Ontario, disclosed that it had fallen victim to a MOVEit-related attack earlier this year.
In this breach, hackers made off with sensitive personal data from a staggering 3.4 million individuals, including 2 million babies, expectant parents, and those seeking fertility care. The compromised health data spanned from January 2010 to May 2023.
BORN Ontario is just one of many organizations slowly revealing their experiences with MOVEit-related incidents. Researchers warn that there may be more attacks and compromised data yet to come to light.
Emily Austin, Security Research Manager and Senior Researcher at Censys, emphasizes that the MOVEit situation is a genuine software supply chain security issue.
The vulnerabilities existed in two versions of the MOVEit service: the cloud-based MOVEit Cloud and the local version known as MOVEit Transfer, which organizations run on their premises. Most of the exploitation occurred in the latter, but the attackers targeted not only direct users but also organizations connected through third parties or vendors. This multifaceted attack strategy has complicated the situation further.
Progress Software issued a statement acknowledging the severity of the situation, stating, “An advanced and persistent threat actor used a sophisticated, multi-stage attack to exploit this zero-day vulnerability, and we are committed to playing a collaborative role in the industry-wide effort to combat cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.”
Clop: A Strategic Cybercriminal Data Breach Threat
Centralized data repositories like MOVEit have become attractive targets for cybercriminal groups like Clop, known for strategically exploiting systems within the software supply chain, including multiple file transfer tools.
Earlier this year, Clop claimed responsibility for breaching over 100 organizations by exploiting the GoAnywhere file transfer tool. However, the MOVEit incident surpasses them all, both in terms of the number of victim organizations and the individuals whose data has been compromised.
According to Emsisoft, a cybersecurity company tracking the impact of the MOVEit campaign, 2,167 organizations have been affected so far.
This number has steadily risen since the breach began in May. Notably, the National Student Clearinghouse revealed that 890 colleges and universities across the United States, including prestigious institutions like Harvard and Stanford, had fallen victim to MOVEit breaches.
While 88.8% of known victims are in the United States, organizations in Germany, Canada, and the UK have also reported being exposed to Clop.
Emsisoft’s analysis reveals that 1,841 organizations have disclosed breaches, but only 189 of them have specified how many individuals were impacted. From these detailed disclosures, Emsisoft has determined that over 62 million individuals had their data breached in the MOVEit spree.
However, since nearly 2,000 organizations have not disclosed how many individuals were affected, and some impacted organizations have not come forward at all, the true number of compromised individuals could be even larger, potentially reaching the hundreds of millions.
The Human Cost of Data Breaches
While cybercriminal groups often make headlines for ransomware attacks, the relentless theft, publication, extortion, and trade of sensitive data in incidents like the MOVEit breach can have profound and lasting impacts on individuals’ lives.
These broader consequences are often overshadowed by incidents where financial gain is the primary motive.
For example, previous hacks on educational institutions have exposed deeply personal information, such as details of sexual assaults, child abuse allegations, and suicide attempts.
Victims are often unaware that their personal information has been exposed, adding to the distress caused by the initial breach. Breaches of mental health service providers have similarly exposed patients’ records, further underscoring the far-reaching consequences of data breaches.
Preparing for the Future
Brett Callow, a threat analyst at Emsisoft, predicts that the slow drip of MOVEit-related disclosures will continue for years to come. More importantly, both Callow and Emily Austin stress the need for organizations to be prepared for cybercriminals to continue targeting widely-used data management software.
As Callow aptly puts it, “MOVEit isn’t the first file transfer application to be exploited, and it likely will not be the last.”
In a recent development, Progress Software disclosed a new set of vulnerabilities in one of its file transfer tools for servers, WS_FTP Server. While there is currently no evidence of active exploitation, this serves as a reminder that the cybersecurity landscape is ever-evolving, and vigilance is essential in safeguarding sensitive data.
The MOVEit saga of 2023 serves as a stark reminder of the ever-present threats in the digital world and the critical importance of robust cybersecurity measures to protect individuals and organizations alike. It’s a story that continues to unfold, and its implications will reverberate for years to come.
We hope you’ve enjoyed this blog. Be sure to watch out for our future weekly blog releases and thanks for reading!
