US health dept, law firms join list of MOVEit victims

The US Department of Health and Human Services (HHS) and several major US law firms are the latest MOVEit victims claimed by the Cl0p ransomware gang.

A source confirmed that the HHS agency was among those affected by the far-reaching hack centered on a piece of software called MOVEit Transfer on Wednesday.

“While no HHS systems or networks were compromised, attackers gained access to data by exploiting the vulnerability in the MOVEit Transfer software of third-party vendors," a US health department official familiar with the matter said.

It’s the second US federal agency to have said it was affected in the Russian-linked Cl0p exploit of the MOVEit file transfer platform, made and distributed by the American software company Progress.

The US Energy Department was identified by the Cybersecurity and Infrastructure Security Agency (CISA) as one of the multiple federal agencies hit in the attacks on June 16 - part of the hundreds of organizations worldwide caught up in the Cl0p spree.

CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” CISA executive assistant director Eric Goldstein said at the time.

CISA director Jen Easterly had also said there was minimal impact from those attacks.

Also on Wednesday, Cl0p posted the names of two major multi-national law firms on its leak site client services firm Kirkland & Ellis LLP based in New York City and corporate law firm K&L Gates LLP headquartered in Pittsburgh, Pennsylvania. Neither firm has confirmed the hack.

Minnesota business firm The Harrington Company and City National Bank in Miami, Florida, were added to the Cl0p's site early Thursday morning.

Cl0p more victims named
Cl0p leak site

Cl0p – said to have exploited the MOVEit zero-day bug via SQL database injection – threatened to release the names of its victims, and publish their stolen data, if they did not fork over a ransom demand by June 14th.

On its dark leak site, Cl0p has vowed to delete any government data, claiming it is only interested in holding private businesses accountable for their security deficiencies.

Even so, sources say tens of thousands of records held by the HHS could have been exposed.

Cl0p message to US government
Cl0p leak site

Other major players named in the MOVEit attacks this week include Siemens Energy, UCLA, and the New York City Department of Education, exposing the names of 45,000 students.

Last week, the gang claimed two of the big four accounting firms, PricewaterhouseCoopers (PWC) and Ernst & Young, as well as Sony.

The gang is also responsible for a similar attack on a zero-day vulnerability exploiting the Fortra GoAnywhere file management system, which compromised at least 130 organizations this past spring.

"They aren't going away," he said. "Unless the heat gets on them very bad," TrendMicro vice president Jon Clay said about the ransomware group.

The US government announced a $10 million reward for any information on the Cl0p gang members on June 19th.