- The four MOVEit MFT vulnerabilities have claimed multiple victims, including U.S. government organizations and private sector companies across the globe.
- The exploitation of the vulnerability, especially by the Clop ransomware gang, has victimized over 500 organizations and over 34 million individuals.
- Read on to know more about the impact of what is one of the, if not the most significant, exploitation of a zero-day vulnerability.
Described by experts as a “systemic attack,†the exploitation of the MOVEit Managed File Transfer (MFT) vulnerabilities, viz., CVE-2023-34362, CVE-2023-35036, CVE-2023-35708, and CVE-2023-3693X, has made waves across and beyond the cybersecurity and technology industries.
Since its discovery starting May 31, 2023, the latest of which came to light in mid-June, the series of the four MOVEit MFT vulnerabilities has claimed multiple victims, including U.S. government organizations and private sector companies across the globe. This has led experts, including My1Login CEO, Mike Newman, to term it “one of the biggest cyberattacks of this year.â€
Considering the nature of the product, the repercussions of the patched MOVEit security flaws have emerged as a monumental supply chain attack by one of the most prolific ransomware outfits present today — Clop.
Impact of the MOVEit Vulnerability
Russia-based Clop ransomware gang is at the forefront of MOVEit zero-day vulnerability exploitation and is expected to earn anywhere between $75 to $100 million, according to estimates by Coveware.
“Law enforcement has advised companies impacted by MOVEit not to negotiate with the attackers, but while this may legally be the right thing to do, sometimes for businesses the data loss leaves them no choice,†Ryan McConechy, CTO at Barrier Networks, told Spiceworks in the context of ransom demands from Ernst & Young and TD Ameritrade.
“Clearly, in this case, the high volume of data loss for businesses was enough to force them to try to negotiate with the criminals, but this, unfortunately, doesn’t seem to have been effective.â€
The MOVEit hack is so profound that 456 companies were listed on leak sites as ransomware victims in the summer month of June (2023), up 179% year-over-year, according to Corvus Insurance. Of the 29 ransomware groups Corvus analyzed, Clop posted 19.61% of the victims in June 2023.
Source: Corvus Insurance
“Much of June’s spike is due once again to the Clop ransomware group, which repeated a page from its playbook to exploit another software vulnerability en masse that included over 90 victims,†Corvus concluded.
An Emsisoft report dated July 18, 2023, puts the total number of MOVEit victims at 513 organizations and 34,682,156 individuals. KonBriefing research tracker puts the number at 516 organizations and 31 to 34 million individuals as of July 27, 2023.
Of these, 23 are from the U.S. public sector, and 31 are from the international public sector. Education is one of the sectors that is hit hard by the vulnerabilities and its exploitation, given students, academics, and faculties rely on the MFT tool.
One hundred and nine organizations from the education sector have so far borne the brunt of MOVEit attacks, making up 21.6% of all incidences. However, finance and professional services top education and has suffered the most incidences from the MOVEit hack: 22.6%.
“Having taken advantage of a vulnerability in the MFT system of the MOVEit Platform, the Clop ransomware group is obviously opportunistic and financially motivated. It’s clear that Clop doesn’t care what type of organizations they attack, including those of schools and healthcare institutions, as long as they receive their ransoms,†Avishai Avivi, CISO at SafeBreach, told Spiceworks.
Even though a ransomware gang, Clop’s modus operandi, like several other ransomware syndicates, has shifted in the recent past. Ransomware gangs now seek to extort victims by threatening to release exfiltrated data instead of encrypting victim systems.
See More: MOVEit Vulnerabilities: Clop Ransomware Gang Victims Keep Increasing
MOVEit zero-day victim by countries
Emsisoft assessed that over 72% of organizations victimized through the MOVEit flaw are based in the U.S. KonBriefing’s analysis puts the number at just over 69%.
MOVEit Victims Organizations
Source: KonBriefing
Remediation Efforts for Victims Targeted by Clop Ransomware Through MOVEit Vulnerability
A recent Bitsight report noted that victims are promptly remediating their attack surface pertaining to the MOVEit security bugs. Between May 31 (the day the first MOVEit flaw was discovered) and July 12, 77% of affected organizations had remediated their systems and were no longer vulnerable.
“In a typical vulnerability remediation pattern, it would take 29 months to reach the same level of remediation we observe happening for MOVEit after just 42 days. In other words, organizations are remediating CVE-2023-34362 roughly 21X faster than what’s considered typical. The point? Organizations are taking these MOVEit vulnerabilities very seriously, and rightfully so,†Bitsight said.
Percentage of Organizations Vulnerable to MOVEit Security Flaws
Source: Bitsight
Note that the red dotted lines represent vulnerability discovery dates.
Unexpectedly, the sectors most impacted by the MOVEit bugs, i.e., financial services and education, aren’t remediating fast enough. The top three industries to achieve rapid remediation are government (at least 73% remediated), manufacturing (at least 52% remediated), and business services (at least 46% remediated).
Notably, Progress Software, the parent company of MOVEit MFT developer Ipswitch, is facing at least 13 lawsuits, according to The Wall Street Journal, including a class-action one.
How can organizations ward off threats from zero-day vulnerabilities such as MOVEit? Share your thoughts with us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!
Image source: Shutterstock