The number of victims affected by a campaign that targeted a zero-day vulnerability in Progress Sofware’s MOVEit file-transfer product to steal data continues to grow each day.

What Happened?

Numerous class action lawsuits were recently filed against Progress Software concerning a security vulnerability in its’ MOVEit file transfer utility that enabled hackers to exfiltrated untold millions of records from hundreds of institutions worldwide including U.S. federal and local state agencies, banks, universities, and businesses.

MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch, a subsidiary of US-based Progress Software Corporation, that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads.

The attacks began over the US Memorial Day holiday (May 27th) when fewer staff were monitoring systems.The attack took advantage of SQL Injection vulnerability.

What Information Was Stolen

The information stolen is specific to the data maintained by each facility that uses the software. For example, Louisiana and Oregon warn that millions of driver’s were exposed as a result of the breach.

The Louisiana Office of Motor Vehicles reports that information stolen includes –

• Name
• Address
• Social Security Number
• Date of Birth
• Height
• Eye color
• Driver’s License Number
• Vehicle Registration Information
• Handicap Placard Information

The Oregon DMV released a similar statement and a press release explaining that its MOVEit Transfer data breach impacted approximately 3,500,000 Oregonians with an ID or driver’s license.

The authorities in Oregon have stated that they are in no position to identify specific victims, so all citizens are advised to take precautions and assume their personal data was exposed to cyber criminals.

Therefore, all impacted people in Oregon and Lousiana should treat their data as being at risk, monitor credit reports for identity theft, and remain vigilant against possible targeted phishing attacks.

Other organizations who have already disclosed MOVEit Transfer breaches include US federal agencies and universities, the US state of Missouri, the US state of Illinois, Extreme Networks,  American Board of Internal Medicine, Minnesota’s Department of Education, Genworth Captial, Wilton Reassurance, and CalPERS (California Public Employees’ Retirement System). More victims are being added to the list each day.

As new victims continue to come to light, Progress Software has rushed to patch a new vulnerability impacting MOVEit Transfer. This vulnerability, tracked as CVE-2023-35708, could lead to unauthorized access to customer environments, Progress warned in its advisory.

Russia’s CLoP Ransomware Gang Claims Responsibility

The CloP ransomware gang claimed responsibility for the MOVEit attacks. CLoP is telling impacted organizations to contact them if they wish to negotiate a ransom. As of time of writing CLoP has begun posting company names and profiles on the dark web.

The US State Department offered a $10 million bounty for information linking CLoP ransomeware attacks to a foreign government.

“Do you have info linking CLoP Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government? Send us a tip. You could be eligible for a reward,” tweeted the Rewards for Justice Twitter account.

I Just Received a Letter Informing Me My Personal Information Was Exposed In The Breach – What Do I Do?

If you received a letter in the mail explaining that your personal information was accessed by an unauthorized third party in a recent data breach, you need to act quickly to protect yourself from identity theft.

• Carefully read the letter in its entirety and hold onto it
• Find out what type of personal data was breached
• Sign up for any credit monitoring or protection services offered to you
• Change your online passwords and PINs
• Start contacting the parties who are relevant to your breached information
• Notify all of the major credit bureaus to set up a fraud alert
• Check your credit reports
• Put a credit freeze in place on your accounts
• Monitor your accounts for suspicious activity

Kroll, an investigative security service, found evidence that Clop has been testing exploits for the now-patched MOVEit zero-day since 2021 including ways to exfiltrate data stolen from compromised MOVEit servers since at least April 2022.

Understand Your Rights

You did nothing wrong, but you have to suffer through all of these consequences—the financial harm, the wasted time, the emotional distress. It’s unfair, and honestly, it’s overwhelming. You shouldn’t be the one to bear the consequences for the responsible parties.

Consumers affected by a data breach can seek compensation at no upfront cost and with relatively little time commitment required on their part. To understand your legal rights, please fill out the below form and a data breach attorney will contact you.

Case Status: Open – Not Accepting New Clients

Tags: consumer protection   cyber attack   data breach   Data Privacy   Personal Identifying Information   ransomware