If Cl0p is to be believed, they have information from hundreds of organizations. They stated that they oul start releasing names on the 14th which was two days ago (as of this writing). They have kept their promise and we are already starting to see company names. Some of the names include Shell, United Healthcare Student Resources, The University of Georgia (including the University System of Georgia), Heidelberger Druck, Landal Greenparks, Putnam Investments, and more. These companies are in addition to the State of Missouri and Illinois, Extreme Networks, and the American Board of Internal Medicine. In an interesting turn of events Cl0p appears to have removed Greenfield, CA and claims to have deleted all data from US government entities. Greenfield might be due to ongoing ransom negotiations the statement on government agencies comes as US CISA is said to be working with the US DOE) Department of Energy) in relation to a MOVEit data breach. It seems that while Cl0p has no issue with extorting corporations, they do draw the line somewhere (allegedly).
The name disclosures come at a time when even more flaws are being found in the software as researchers and third-party auditors dive into the platform. So far, most of the flaws all revolve around unauthenticated SQL injection attacks that allow for manipulation and/or theft of data. The fact that event after patching the original zero-day there are still major flaw in the web interface that allow for this level of access to the back-end databases. To me there is no way that Progress had a proper security audit and review of their application. If they did, these flaws would not be so easy to identify and build POC (proof of concept) for. Now that the word is out more and more people are going to be looking for holes in MOVEit MFT’s security. This is not just security researchers though; threat actors are also going to jump on the bandwagon and see if they can grab a piece of the pie here. Progress needs to ramp up their efforts on a complete review of the platform and take the recommended steps to remediate these flaws. Anyone using MOVEit outside of cloud versions should remove public access for now and keep things offline until Progress can truly give the “all clear”. Even then steps should be taken to monitor data going in and out of the platform to identify any unusual activity before things go south.