Companies and government agencies have been added in recent days to the list of institutions victimized by a supply chain cyber attack by a ransomware gang that exploited a weakness in file transfer software popular with enterprises. To date, the sector with the largest share of victims has been financial services — specifically banks and credit unions.
On May 27, ransomware gang Cl0p started exploiting a zero-day vulnerability in Progress Software’s product MoveIt to steal data from at least 91 organizations, including state and federal agencies and at least 10 U.S. banks and credit unions. Data compromised in the leaks included names, addresses, birthdates, Social Security numbers, and more.
Progress notified customers about the vulnerability on May 31 and released a patch for it two days later. The company has since identified and remediated two other vulnerabilities in its products. All three are SQL injection vulnerabilities, which according to the cybersecurity nonprofit OWASP Foundation is the third most common type of vulnerability in web applications.
CISA said this month in a joint alert with the FBI that Cl0p had started exploiting the MoveIt vulnerability on May 27, 2023. On May 31, Progress informed MoveIt customers of the vulnerability that Cl0p was exploiting.
Brett Callow, a security researcher for Emsisoft, said Wednesday that he had identified 91 institutional victims of the Cl0p attacks to date. The total number of customers and citizens who had data caught up in the breach is not currently known, as investigations into the breaches are ongoing.
“At this point, we don’t have good visibility into which organizations have been impacted or the nature of the data that has been exfiltrated, and that makes it impossible to speculate as to the overall seriousness of the incident and its likely impact,” Callow said. “That said, it’s probably safe to say that Cl0p is now in possession of a massive amount of information that could be used for phishing, identity fraud, etc.”
Firms looking to identify what files Cl0p might have stolen can use a guide from cybersecurity firm Crowdstrike to aid their investigation.
Banks and credit unions that Cl0p has listed as victims of the attack include (American Banker has not independently verified this list):
- Gesa in Richland, Washington
- Stockman Bank in Miles City, Montana
- 1st Source Bank in South Bend, Indiana
- Putnam Investments in Boston, Massachusetts
- Bankers’ Bank in Madison, Wisconsin
- A+ Federal Credit Union in Austin, Texas
- Bar Harbor Bank in Bar Harbor, Maine
- Power Financial Credit Union in Pembroke Pines, Florida
- East West Bank in Pasadena, California
- Umpqua Bank in Roseburg, Oregon (which confirmed to state news outlets it was compromised)
Cl0p also claimed to have breached CU*Answers, a credit union software vendor based in Grand Rapids, Michigan.
Cl0p has been posting names of victims on its data leak site for days and posted additional names as late as Wednesday, according to cybersecurity firm ReliaQuest. The gang is currently holding 50 companies for ransom. While those companies come from multiple industries, financial services is most heavily impacted; more than 25% of the victims being ransomed as of Thursday were in financial services.
State agencies in Illinois, Louisiana, Missouri, and Oregon reported breaches resulting from hackers breaking into MoveIt software. Oregon’s department of motor vehicles told state media that 90% of driver licenses and state ID card files were stolen in the attack.
Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, told reporters last week that the attack did not present a “systemic risk to our national security or our nation’s networks” the way a 2020 supply chain attack involving software vendor SolarWinds systems did.
“Based on discussions we have had with industry partners … these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information— in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said.
Cl0p said on its data leak site that it had deleted all the data it stole from state and federal agencies, a claim security experts have warned not to take too seriously because of the value of such data. Steve Povolny, director of security research at cybersecurity firm Exabeam, said ransomware groups make these kinds of claims to avoid greater liabilities that would make them a weightier target for law enforcement.
“I think the question of whether we should believe anything a malicious nation-state actor claims should be fairly straightforward: Don’t trust, and verify,” Povolny said.