The MOVEit spree is as bad as — or worse than — you think it is

The mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals to date, but the numbers mask a more disastrous outcome that’s still unfolding.

The victim pool represents some of the most entrenched institutions in highly sensitive — and regulated — sectors, including healthcare, education, finance, insurance, government, pension funds and manufacturing.

The subsequent reach and potential exposure caused by the Clop ransomware group’s spree of attacks against these organizations is vast, and the number of downstream victims is not yet fully realized.

Colorado State University was hit six times, six different ways. The school’s third-party vendors — TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sunlife and The Hartford — all informed the school of data breaches linked to the MOVEit attacks.

Three of the big four accounting firms — Deloitte, Ernst & Young and PwC — have been hit too, putting the sensitive customer data they maintain at risk.

Government contractor Maximus reported one of the worst breaches tied to the MOVEit compromise, after the personally identifiable information of up to 11 million individuals was potentially exposed. The data of more than 600,000 Medicare beneficiaries was exposed as part of the Maximus breach. 

The widespread attack against MOVEit and its customers was “highly creative, well-planned, organized by multiple groups and executed well since they were able to poach records at scale,” independent analyst Michael Diamond said via email.

“Without a doubt, they hit one of the juicy parts of the orchard from an information perspective that they’ll continue to monetize and use for attacks in the future,” Diamond said. “My impression is that this is only going to get worse over time.”

Diamond isn’t alone in forecasting the worst is yet to come.

“The scale of the attack and the high-profile victims make the MOVEit campaign arguably the most successful public extortion campaign we have seen to date,” Rick Holland, VP and CISO at Reliaquest, said via email.

The ultimate breadth of damage done may remain unknown but the sweeping impact of the attacks will eventually be measured in years, not months, Holland said.

Breaches beget breaches

The pool of victims continues to grow as the financially-motivated Clop lists more organizations on its leak site and enterprises trickle out attack disclosures.

“The number of breaches and magnitude of records exposed from this exploited vulnerability is massive and ongoing, which means many more breach notifications are forthcoming,” said Jess Burn, senior analyst at Forrester.

While global enterprises were hit at the outset, smaller organizations that lack the skills and resources to remediate the issue or meet Clop’s demands are now more likely to be impacted, according to Burn.

Things are bad now, even if the daily reports of damages caused by Clop wanes.

“From what we’ve already seen, this is about as bad as you can get,” Zane Bond, head of product at Keeper Security, said via email. “These attacks are targeting the systems organizations use to securely transport their most sensitive data including customer information, health information, PII and more.”

Zero days in the supply chain

The first sign of trouble surfaced more than two months ago. Clop’s mass exploitation of the zero-day vulnerability in MOVEit and spree of resulting attacks was swift.

“Clop isn’t your run-of-the-mill opportunistic extortion group. The group is a sophisticated threat actor who leverages zero days with advanced capabilities,” Holland said.

The threat actor is responsible for two high profile supply-chain attacks this year, including a zero-day vulnerability in Fortra’s GoAnywhere file-transfer service the group exploited in March. Clop was also responsible for the zero-day exploit driven campaign against the Accellion file-transfer devices in 2020 and 2021.