/MOVEit-Transfer

A repository for tracking events related to the MOVEit Transfer Cl0p Campaign

image

MOVEit Transfer Hacking Campaign Tracking

  • A repository for tracking events related to the MOVEit Transfer Hacking Campaign
  • Events mapped to the Diamond Model, plus resources and information

Event Summary Diagram

image

Publish Date Type Description Source
31 May Resource Initial Vendor Advisory, IOCs community.progress.com
1 June Resource IOCs, Sigma & YARA Rules by Nextron Systems twitter.com/cyb3rops
1 June Capabilities Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability since 27th Mary 2023, IOCs rapid7.com
1 June Infrastructure GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023 greynoise.io
1 June Resource CrowdStrike shared FQL rules r/crowdstrike
1 June Capabilities Huntress analysis of the MOVEit Transfer vulnerability, IOCs huntress.com
1 June Capabilities TrustedSec MOVEit Transfer campaign analysis, IOCs trustedsec.com
2 June Resource YARA rules for the Web Shell github.com/AhmetPayaslioglu
2 June Resource Sigma rule for MOVEit exploitation github.com/tsale
2 June Resource MOVEit Web Shell Checker github.com/ZephrFish
2 June Information CVE-2023-34362 in MOVEit Transfer added to the NIST National Vulnerability Database nvd.nist.gov
2 June Capabilities Mandiant campaign analysis, IOCs, YARA rules mandiant.com
2 June Information CVE-2023-34362 in MOVEit Transfer added to the CISA Known Exploited Vulnerability (KEV) Database cisa.gov
2 June Adversary Microsoft formally attributed the MOVEit Transfer campaign to the threat group called CL0P (aka Lace Tempest, FIN11, TA505) twitter.com/MsftSecIntel
2 June Victim The University of Rochester mentions a "data breach, which resulted from a software vulnerability in a product provided by a third-party file transfer company, has affected the University and approximately 2,500 organizations worldwide." rochester.edu
5 June Resource Identifying Data Exfiltration in MOVEit Transfer Investigations crowdstrike.com
5 June Victim Austrian Financial Market Authority (FMA) files stolen from MOVEit software ots.at
5 June Victim Zellis' MOVEit Transfer breached, impacting British Airways, BBC, Boots, and Aer Lingus, potentially others therecord.media
5 June Adversary Clop ransomware claims responsibility for MOVEit extortion attacks via a ransom note on their leak site bleepingcomputer.com
6 June Victim University of Rochester and the Government of Nova Scotia are the first known MoveIT victims in North America therecord.media
6 June Capabilities Unit42's analysis of MOVEit attacks, also observed attacks starting on 27 May, additional IOCs unit42.paloaltonetworks.com
7 June Adversary Clop ransomware tells those affected to email them before 14 June or stolen data will be published BBC
7 June Victim BORN Ontario announces MOVEit breach bornontario.ca
7 June Adversary/Capabilities FBI & CISA joint advisory on CL0P, details about other TA505 campaigns, and other incidents such as the GoAnywhere attacks, IOCs, YARAs cisa.gov
7 June Victim/Capabilities SentinelOne's campaign analysis, hunting queries, IOCs sentinelone.com
7 June Victim Extreme Networks declares having learned that their instance of MOVEit Transfer tool was impacted by a malicious act computerweekly.com
8 June Capabilities Kroll's Timeline of the campaign (dating it back to 2021), IOCs kroll.com
8 June Victim Synlad issues a press release acknowledging being a victim of Cl0p's MOVEit campaign synlab.fr
9 June Resource Progress Software issues a new patch covering new vulnerabilities progress.com
9 June Victim Illinois government among victims of global ransomware attack chicagotribune.com
9 June Victim Minnesota Department of Education hit by cybersecurity attack cbsnews.com
9 June Victim HSE states no more than 20 people's data breached in cyber-attack hse.ie
9 June Capabilities Horizon3AI's analysis of the MOVEit Transfer campaign, accompanied by a Proof-of-Concept (PoC) for CVE-2023-34363, and IOCs horizon3.ai
9 June Victim Landal informs guests about a data breach (MOVEit) landal.com
12 June Victim Ofcom (the UK’s communications regulator) and Ernst & Young (EY), one of the 'Big 4' accounting firms bbc.co.uk
13 June Victim Transport for London (TfL) is warning 13,000 staff - half its entire workforce - that their details have been stolen by CL0P, via following the Zellis payroll outsourcer MOVEit Transfer hack twitter.com/gazthejourno
13 June Victim Prudential Assurance Malaysia Berhad (PAMB) and Prudential BSN Takaful Berhad (PruBSN) can confirm that we are among many companies around the world that have been affected by the global MOVEit data-theft attack prudential.com.my
13 June Victim State of Missouri Issues Statement on Recent Global Cyberattack oa.mo.gov
14 June Victim Victims Listed on CL0P's leak site: 1st Source Bank, Datasite LLC, First National Bankers Bankshares Inc (FNBB), Green Shield (health services organization in Canada, only payer-provider in Canada), Heidelberger, Leggett & Platt, National Student Clearinghouse, ÖKK Kranken- und Unfallversicherungen AG, Putnam Investments, United HealthCare Services Inc, Shell, and the University of Georgia CL0P Data Leak Site
14 June Victim Johns Hopkins University Baltimore Sun
15 June Victim Victims added to CL0P's leak site: healthequity[.]com, synlab[.]fr, cuanswers[.]com, navaxx[.]lu, delawarelife[.]com, 316fiduciaries[.]com, enzo[.]com, careservicesllc[.]com, genericon[.]at, brault[.]us, aplusfcu[.]org, barharbor[.]bank, powerfi[.]org, eastwestbank[.]com CL0P Data Leak Site
15 June Victim BleepingComputer receives PR communications from victims of CL0P bleepingcomputer.com
15 June Victim US Department of Energy: Oak Ridge Associated Universities and Waste Isolation Pilot Plant (New Mexico) announce MOVEit breaches federalnewsnetwork.com
15 June Resource Progress Software issues an advisory of a 3rd vulnerability (No CVE or patch) progress.com
15 June Victim Louisiana Office of Motor Vehicles la.gov
16 June Resource Progress Software issues fix of 3rd vulnerability (No CVE) progress.com
16 June Victim Oregon Department of Transportation (ODOT) announces MOVEit breach oregon.gov
16 June Victim marti[.]com (Marti Group, Switzerland, Construction), pragroup[.]no (PRA Group, Norway, Finance (Debt)), columbiabank[.]com / umpquabank[.]com (Umpqua Bank, USA, Finance), umsystem[.]edu (University Of Missouri System, USA, Education, icsystem[.]com (IC System, USA, Finance (Debt)), arburg[.]com (ARBURG, Germany, Manufacturing (Plastics processing machines)), bostonglobe[.]com (Boston Globe, USA, Newspaper), cncbinternational[.]com (China CITIC Bank International Limited, Hong Kong, Finance), stiwa[.]com (Stiwa Group, Austria, Automation), cegedim[.]com (Cegedim, France, Tech/outsourcing services), aon[.]com (Aon PLC, Ireland, Professional Services), nuance[.]com (Nuance, USA, AI Tech) CL0P Data Leak Site
16 June Adversary CL0P claims on their leak site they "deleted all government data," are "only financial motivated [sic]," and, "do not care anything about politicis [sic]" CL0P Data Leak Site