MOVEit hack spawned around 600 breaches but isn't done yet - cyber
analysts
Send a link to a friend
[August 08, 2023]
By Raphael Satter and Zeba Siddiqui
WASHINGTON/SAN FRANCISCO (Reuters) - A hydra-headed breach centered on a
single American software maker has compromised data at about 600
organizations worldwide, according to cyber analyst tallies corroborated
by Reuters.
But more than two months after the breach was first disclosed by
Massachusetts-based Progress Software, the parade of victims has
scarcely slowed. The tallies show that nearly 40 million people have
been affected so far by the hack of Progress' MOVEit Transfer file
management program. Now the digital extortionists involved, a group
named "cl0p", have become increasingly aggressive about thrusting their
data into the public domain.
"We are just in the very, very early stage of this," said Marc Bleicher,
chief technology officer of the incident response firm Surefire Cyber.
"I think we'll start to see the real impact and fallout down the road."
MOVEit is used by organizations to ship large amounts of often sensitive
data: pension information, social security numbers, medical records,
billing data and the like. Because many of those organizations were
handling data on behalf of others, who in turn got the data from third
parties, the hack has spiraled outward in sometimes convoluted ways.
For example, when cl0p subverted the MOVEit software used by a company
called Pension Benefit Information, which specializes in locating
surviving family members of pension fund holders, they gained access to
the data of the New York-based Teachers Insurance and Annuity
Association of America, which in turn manages pension programs for
15,000 institutional clients, many of whom have spent the past weeks
notifying employees of their exposure.
"There’s this domino effect," said Huntress Security's John Hammond, one
of the earliest researchers to start tracking the breach.
Hacks by groups like cl0p occur with a numbing regularity. But the sheer
variety of victims of the MOVEit compromise, from New York public school
students to Louisiana drivers to California retirees, have made it one
of the most visible examples of how a single flaw in an obscure piece of
software can trigger a global privacy disaster.
Christopher Budd, a cybersecurity expert with the British firm Sophos,
said the breach was a reminder of how interdependent organizations were
on one another's digital defenses.
Progress said it had been the victim of "an advanced and persistent
cybercriminal group" and that its focus was on supporting its customers.
'THOUSANDS OF COMPANIES'
Cl0p's hacking campaign began on May 27, according to two people
familiar with Progress’ investigation.
Progress first got wind of the compromise the next day, when a customer
alerted the firm to anomalous activity, these sources said. On May 30
the company sent a warning, and the next day issued a "patch", or
repair, which partially thwarted the hackers’ campaign.
[to top of second column]
|
A sign indicates the direction to the
offices of Progress Software in Burlington, Massachusetts, U.S.,
July 26, 2023. REUTERS/Brian Snyder/
"Many organizations were in fact able to deploy the patch before it
could be exploited," said Eric Goldstein, a senior official at the
U.S. Cybersecurity and Infrastructure Security Agency.
Not all organizations were so lucky. Details on the amount of stolen
material or the number of organizations affected are not publicly
available but Nathan Little, whose firm Tetra Defense has responded
to dozens of MOVEit related incidents, estimated the breach likely
affected thousands of companies.
"We may never know the exact detailed number," he said.
Some analysts have tried to keep track. As of Sunday, cybersecurity
firm Emsisoft had totaled up 597 victims with 39.7 million people
affected.
German IT specialist Bert Kondruss has come up with similar figures,
which Reuters corroborated by cross-checking them against public
statements, corporate filings and cl0p’s posts.
WHO HAS BEEN EXPOSED?
Educational organizations - colleges, universities, and even New
York City public schools - made up a quarter of the victims, with
Emsisoft and Kondruss counting more than 100 in the U.S. alone.
The exposure has gone well beyond academia.
Drive a car? The Louisiana and Oregon motor vehicle authorities
collectively disclosed the compromise of around 9 million records.
Retired? Pension management organizations such as the California
Public Employees' Retirement System and T. Rowe Price were breached
via Pension Benefit Information. The breach at U.S. government
contractor Maximus alone resulted in the compromise of between 8 to
11 million people's records.
A tenuous silver lining? The hackers may have ingested too much data
to release it all.
Alexander Urbelis, senior counsel with New York-based law firm
Crowell & Moring, which has helped victims gauge their exposure to
the hackers’ dragnet, said extraordinarily slow download speeds from
the hackers' creaky darknet website "made it all but impossible for
anyone" - whether well-intentioned or otherwise - "to access the
stolen data."
Goldstein, the U.S. official, said in "in many cases" data had yet
to be leaked.
Cl0p, which didn't return Reuters' messages, seems to be trying to
up its game. Late last month it created websites specifically
intended to better spread stolen data. Earlier this week it started
sharing the data via peer-to-peer networks.
That's bad news for the victims, said Surefire's Bleicher.
"Once this data starts to be slowly leaked, it shows up more on the
underground," he said. The impact of the breach in turn "will
probably get much larger than we think it is now."
(Reporting by Raphael Satter and Zeba Siddiqui; Editing by Chris
Sanders and Grant McCool)
[© 2023 Thomson Reuters. All rights
reserved.]This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |