Fallout from Clop’s mass exploit of a zero-day vulnerability in Progress Software’s MOVEit file transfer service continues to ensnare additional victims. The prolific ransomware actor is listing new compromised systems on its leak site daily and some organizations are still disclosing breaches.
At least 108 organizations, including seven U.S. universities, have been listed by Clop or disclosed as having been impacted thus far, according to Brett Callow, threat analyst at Emsisoft.
The University of California, Los Angeles, is the latest organization to disclose a breach of its MOVEit platform. The school’s IT security team discovered malicious activity on June 1, a spokesperson told Cybersecurity Dive.
“The university notified the FBI and worked with external cybersecurity experts to investigate the matter and determine what happened, what data was impacted and to whom the data belongs. All of those who have been impacted have been notified,” the spokesperson said.
Multiple large and well-known organizations confirmed impacts in recent days, including the California Public Employees’ Retirement System, PwC, EY, Genworth Financial and Allegiant Air. Personal information of about 769,000 members of CalPERS, the largest pension system in the U.S., was exposed.
The U.S. State Department offered a $10 million bounty for information on the Clop ransomware group last week after multiple federal agencies were impacted by broad exploits of the MOVEit file transfer vulnerabilities.
Organizations are disclosing breaches weeks after Progress first acknowledged the MOVEit vulnerability and cybersecurity experts warned about mass exploits. Two additional vulnerabilities in the file-transfer service have subsequently been discovered.
“What stands out the most is the slow reveal of companies who have been affected,” Michela Menting, senior research director at ABI Research, said via email. “Either they have only just discovered the leak, or they’ve been covering up the incident — either way, that reflects poor cyber hygiene.”
Some organizations have been impacted due to their direct use of MOVEit while others have been exposed as a result of third-party vendors’ use of the file transfer service, including PBI Research Services and Zellis.
“This attack points to the continued success of supply-chain attacks — it’s much easier to target an upstream platform that delivers to many, than targeting each individual downstream target,” Menting said.
“The biggest worry is that many companies are simply unaware of the potential risk and resulting damage of supply chain attacks such as this one,” Menting said.
Too many organizations are either accepting the risk or unwilling to take measures to pre-empt the threat, according to Menting.
“It is ultimately the end user that suffers the most as their personal data becomes exposed,” Menting said.
The PII of about 15 million individuals has been exposed by exploits of the MOVEit vulnerabilities to date, according to Callow.
“This is obviously a very significant incident,” Callow said, “but we don’t yet know how significant.”
Progress declined to answer questions about the spreading fallout and extent of damage linked to the MOVEit vulnerability exploits.