10 banks alleged victims of ransomware attacks on file transfer software

Key Speakers At CERAWeek 2023
The latest ransomware attacks on banks and government agencies do not represent a systemic risk, according to Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency. Photographer: Aaron M. Sprecher/Bloomberg
Aaron M. Sprecher/Bloomberg

Companies and government agencies have been added in recent days to the list of institutions victimized by a supply chain cyberattack by a ransomware gang that exploited a weakness in file transfer software popular with enterprises. To date, the sector with the largest share of victims has been financial services — specifically banks and credit unions.

On May 27, ransomware gang Cl0p started exploiting a zero-day vulnerability in Progress Software's product MoveIt to steal data from at least 91 organizations, including state and federal agencies and at least 10 U.S. banks and credit unions. Data compromised in the leaks included names, addresses, birthdates, Social Security numbers and more.

Progress notified customers about the vulnerability on May 31 and released a patch the same day. The company has since identified and remediated two other vulnerabilities in its products. All three are SQL injection vulnerabilities, which according to the cybersecurity nonprofit OWASP Foundation is the third most common type of vulnerability in web applications.

The Cybersecurity and Infrastructure Security Agency said this month in a joint alert with the FBI that Cl0p had started exploiting the MoveIt vulnerability on May 27, 2023. On May 31, Progress informed MoveIt customers of the vulnerability that Cl0p was exploiting.

Brett Callow, a security researcher for Emsisoft, said Wednesday that he had identified 91 institutional victims of the Cl0p attacks to date. The total number of customers and citizens who had data caught up in the breach is not currently known, as investigations into the breaches are ongoing.

"At this point, we don't have good visibility into which organizations have been impacted or the nature of the data that has been exfiltrated, and that makes it impossible to speculate as to the overall seriousness of the incident and its likely impact," Callow said. "That said, it's probably safe to say that Cl0p is now in possession of a massive amount of information that could be used for phishing, identity fraud, etc."

Firms looking to identify what files Cl0p might have stolen can use a guide from cybersecurity firm Crowdstrike to aid their investigation.

Cl0p has been posting names of victims on its data leak site for days and posted additional names as late as Wednesday, according to cybersecurity firm ReliaQuest. The gang is currently holding 50 companies for ransom. While those companies come from multiple industries, financial services is most heavily impacted; more than 25% of the victims being ransomed as of Thursday were in financial services.

State agencies in Illinois, Louisiana, Missouri, and Oregon reported breaches resulting from hackers breaking into MoveIt software. Oregon's department of motor vehicles told state media that 90% of driver licenses and state ID card files were stolen in the attack.

The increases may simply reflect better detection and reporting, but banks continue to facilitate large ransom payments to sanctioned individuals.

November 2

Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, told reporters last week that the attack did not present a "systemic risk to our national security or our nation's networks" the way a 2020 supply chain attack involving software vendor SolarWinds systems did.

"Based on discussions we have had with industry partners ... these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information — in sum, as we understand it, this attack is largely an opportunistic one," Easterly said.

Cl0p said on its data leak site that it had deleted all the data it stole from state and federal agencies, a claim security experts have warned not to take too seriously because of the value of such data. Steve Povolny, director of security research at cybersecurity firm Exabeam, said ransomware groups make these kinds of claims to avoid greater liabilities that would make them a weightier target for law enforcement.

"I think the question of whether we should believe anything a malicious nation-state actor claims should be fairly straightforward: Don't trust, and verify," Povolny said.

Correction
This article has been revised to delete a list of bank victims that American Banker was not able to independently verify, and <br/>to accurately describe when Progress Software released a patch for its MoveIt product. It was on May 31, not two days later.
June 23, 2023 10:07 AM EDT
For reprint and licensing requests for this article, click here.
Cyber attacks Cyber security Data security Technology
MORE FROM AMERICAN BANKER