Clop MoveIt Transfer attacks affect over 2,000 organizations

The Clop cybercrime gang's attacks on MoveIt Transfer customers have affected 2,095 organizations and 62,054,613 individuals, according to the latest tally from security vendor Emsisoft.

Progress Software, which publishes managed file transfer software MoveIt Transfer, disclosed critical SQL injection flaw CVE-2023-34362 on May 31. Although Progress was quick to respond and released a patch the same day, MoveIt instances were already under attack. Dozens of organizations published breach disclosures over the following weeks, and according to Emsisoft -- which has been tracking the campaign since it began months ago -- many more organizations have been affected since.

Microsoft credited initial attacks to a threat actor it dubbed Lace Tempest, which was connected to the Clop ransomware gang. Clop has, since that time, been broadly credited as the threat actor behind the campaign, having leaked data from a large number of alleged victims on its data leak site. Threat activity largely took the form of data extortion attacks, in which Clop stole data from vulnerable MoveIt instances and used it to extort payments from victims.

The victims themselves have been wide ranging, from private companies to U.S. government agencies and beyond. CISA Director Jen Easterly in mid-June referred to attacks on MoveIt customers as largely opportunistic and said that as far as CISA knew, "these actors are only stealing information that is being stored on the file transfer application at the precise time that the intrusion occurs."

The scope of affected organizations, however, has greatly increased since that time. Emsisoft threat analyst Brett Callow said in July that he had tracked approximately 270 organizations affected by the campaign, but the number has since grown to more than 2,000, according to data published to a blog post on the security vendor's website.

Data was sourced, the blog said, via "state breach notifications, SEC filings, other public disclosures, as well as Cl0p's website." Because Clop is a criminal organization and the data it publishes cannot be directly trusted, the tally is considered an estimate rather than a confirmed count.

Of the more than 62 million individuals with personal data possibly compromised through the campaign, some of the organizations with the largest contributions to that count, Emsisoft said, include government services company Maximus (11 million), the Louisiana Office of Motor Vehicles (6 million) and payment processing company Alogent (4.5 million).

Callow told TechTarget Editorial that 1,690 of the 2,098 known victim organizations were compromised via third parties rather than directly as part of the MoveIt Transfer campaign. For example, the Colorado Department of Health Care Policy and Financing last month disclosed that private health information for millions of Colorado Medicaid beneficiaries was accessed by Clop threat actors when they breached a vulnerable MoveIt Transfer instance used by IBM, a third-party contractor engaged by HCPF.

Similarly, Censys senior researcher Emily Austin said in a Monday Mastodon post that the campaign "has become a supply chain issue" and that she strongly suspected "we'll see a long tail of breach disclosures as a result."

In an email, Austin told TechTarget Editorial that "unfortunately it's not all that surprising" that a large number of organizations were compromised secondhand.

"We see several thousand MoveIt instances online, but a single instance could hold data for tens or hundreds of other organizations, meaning the impact from this campaign isn't necessarily linear," she said. "We've seen this exact scenario play out in the recently disclosed breach of the National Student Clearinghouse, who disclosed that data for nearly 900 colleges and universities had been leaked through the MoveIt campaign. I suspect we may continue to see fallout from this campaign -- as organizations complete their investigations and notify affected parties -- for months to come."

Update 9/28/2023: In a statement shared with TechTarget Editorial, a spokesperson for Progress Software said the vendor "worked quickly" to mitigate relevant vulnerabilities and support affected customers.

"When we discovered the vulnerabilities in MoveIt Transfer and MoveIt Cloud, we worked quickly to provide initial mitigation strategies, deployed a patch on May 31 that fixed the issue and communicated directly with our customers so they could take action to harden their environments," the spokesperson said. "An advanced and persistent threat actor used a sophisticated, multi-stage attack to exploit this zero-day vulnerability and we are committed to playing a collaborative role in the industry-wide effort to combat cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products."

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.