25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Update on MOVEit Vulnerability Exploitation and Extortion: Victims Given Until June 14 to Pay Ransoms

Posted By on Jun 9, 2023

A zero-day vulnerability in the MOVEit file transfer service (CVE-2023-34362) started to be exploited by a cyber threat actor at scale over the Memorial Day weekend. Progress Software issued an advisory about the vulnerability on May 31, 2023, and rapidly released patches to fix the flaw, but not in time to prevent mass exploitation of the vulnerability. Remote exploitation of the flaw allowed access to be gained to the MOVEit server database, providing access to customer data.

A few days later, several major companies confirmed they had been impacted by the attacks, including the airlines British Airways and Aer Lingus, the UK drugstore chain Boots, the University of Rochester in New York, and the Nova Scotia provincial government, which had all fallen victim and had data exfiltrated through their payroll and HR service provider, Zellis. Nova Scotia Health has confirmed that the personal information of up to 100,000 employees was stolen in the attack.

The Clop ransomware gang and associated FIN11 threat group were suspected of involvement in the mass exploitation of the vulnerabilities as they had previously targeted vulnerabilities in file transfer solutions, exploiting zero-day vulnerabilities in the Accellion FTA and Fortra’s GoAnywhere MFT. Microsoft, Mandiant, and others attributed the attacks to Clop/FIN11, with Microsoft attributing the attacks to a Clop affiliate it tracks as Lace Tempest, and Mandiant attributed the attacks to a newly created threat cluster it tracks as UNC4857, also linked to Clop/FIN11. Mandiant confirmed to The HIPAA Journal that it has seen evidence of data exfiltration at multiple companies and that targeted applications were infected with a webshell called LEMURLOOT. Shodan scans revealed more than 2,500 instances of MOVEit software are exposed to the Internet and Censys reported more than 3,000 hosts running the service, all of which were potentially vulnerable.

Clop Ransomware Group Claims Responsibility for the Attacks

Around a week after the news broke about the exploits, the Clop ransomware gang claimed responsibility for the attacks and confirmed that ransom demands had been issued along with threats to release the stolen data if the ransoms are not paid, giving breached firms until June 14 to pay up or face data exposure. While the Clop group uses ransomware, these attacks involved data theft and exploitation without encryption, as was the case with the attacks on the Accellion FTA and GoAnywhere MFT.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

On June 7, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint security advisory and provided a list of recommended mitigations to reduce the impact of Clop exploits. A few days earlier, on June 2, the Health Sector Cybersecurity Coordination Center (HC3) issued a sector alert, warning that the health and public health sector was potentially at risk from the vulnerability.

The number of victims has yet to be determined, and in contrast to the GoANywhere MFT attacks, the Clop group has not publicly stated how many attacks were conducted but did say it was in the hundreds. The scale of the attacks should start to become clearer from June 14 if Clop is true to its word and starts publishing stolen data, although it may take several weeks or months before the full extent of the exploitation of the vulnerability is known.

Clop May Have Known About Vulnerability for 2 Years

Cybersecurity firm GreyNoise reports that it traced scanning activity associated with the vulnerability to March 3, 2023, and security experts at Kroll said they found evidence to indicate Clop was testing ways to exploit the vulnerability and obtain data in April 2023; however, they also found evidence of similar manual activity related to the exploit as early as July 2021, suggesting the Clop actors have known about the vulnerability for almost two years. The researchers suggest they waited until they had the automation tools available to allow exploitation at scale.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist