Skip to content

curated-intel/MOVEit-Transfer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 

Repository files navigation

image

MOVEit Transfer Hacking Campaign Tracking

  • A repository for tracking events related to the MOVEit Transfer Hacking Campaign
  • Events mapped to the Diamond Model, plus resources and information

Event Summary Diagram

image

Publish Date Type Description Source
31 May Resource Initial Vendor Advisory, IOCs community.progress.com
1 June Resource IOCs, Sigma & YARA Rules by Nextron Systems twitter.com/cyb3rops
1 June Capabilities Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability since 27th Mary 2023, IOCs rapid7.com
1 June Infrastructure GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023 greynoise.io
1 June Resource CrowdStrike shared FQL rules r/crowdstrike
1 June Capabilities Huntress analysis of the MOVEit Transfer vulnerability, IOCs huntress.com
1 June Capabilities TrustedSec MOVEit Transfer campaign analysis, IOCs trustedsec.com
2 June Resource YARA rules for the Web Shell github.com/AhmetPayaslioglu
2 June Resource Sigma rule for MOVEit exploitation github.com/tsale
2 June Resource MOVEit Web Shell Checker github.com/ZephrFish
2 June Information CVE-2023-34362 in MOVEit Transfer added to the NIST National Vulnerability Database nvd.nist.gov
2 June Capabilities Mandiant campaign analysis, IOCs, YARA rules mandiant.com
2 June Information CVE-2023-34362 in MOVEit Transfer added to the CISA Known Exploited Vulnerability (KEV) Database cisa.gov
2 June Adversary Microsoft formally attributed the MOVEit Transfer campaign to the threat group called CL0P (aka Lace Tempest, FIN11, TA505) twitter.com/MsftSecIntel
2 June Victim The University of Rochester mentions a "data breach, which resulted from a software vulnerability in a product provided by a third-party file transfer company, has affected the University and approximately 2,500 organizations worldwide." rochester.edu
5 June Resource Identifying Data Exfiltration in MOVEit Transfer Investigations crowdstrike.com
5 June Victim Austrian Financial Market Authority (FMA) files stolen from MOVEit software ots.at
5 June Victim Zellis' MOVEit Transfer breached, impacting British Airways, BBC, Boots, and Aer Lingus, potentially others therecord.media
5 June Adversary Clop ransomware claims responsibility for MOVEit extortion attacks via a ransom note on their leak site bleepingcomputer.com
6 June Victim University of Rochester and the Government of Nova Scotia are the first known MoveIT victims in North America therecord.media
6 June Capabilities Unit42's analysis of MOVEit attacks, also observed attacks starting on 27 May, additional IOCs unit42.paloaltonetworks.com
7 June Adversary Clop ransomware tells those affected to email them before 14 June or stolen data will be published BBC
7 June Victim BORN Ontario announces MOVEit breach bornontario.ca
7 June Adversary/Capabilities FBI & CISA joint advisory on CL0P, details about other TA505 campaigns, and other incidents such as the GoAnywhere attacks, IOCs, YARAs cisa.gov
7 June Victim/Capabilities SentinelOne's campaign analysis, hunting queries, IOCs sentinelone.com
7 June Victim Extreme Networks declares having learned that their instance of MOVEit Transfer tool was impacted by a malicious act computerweekly.com
8 June Capabilities Kroll's Timeline of the campaign (dating it back to 2021), IOCs kroll.com
8 June Victim Synlad issues a press release acknowledging being a victim of Cl0p's MOVEit campaign synlab.fr
9 June Resource Progress Software issues a new patch covering new vulnerabilities (CVE-2023-35036) progress.com
9 June Victim Illinois government among victims of global ransomware attack chicagotribune.com
9 June Victim Minnesota Department of Education hit by cybersecurity attack cbsnews.com
9 June Victim HSE states no more than 20 people's data breached in cyber-attack hse.ie
9 June Capabilities Horizon3AI's analysis of the MOVEit Transfer campaign, accompanied by a Proof-of-Concept (PoC) for CVE-2023-34363, and IOCs horizon3.ai
9 June Victim Landal informs guests about a data breach (MOVEit) landal.com
12 June Victim Ofcom (the UK’s communications regulator) and Ernst & Young (EY), one of the 'Big 4' accounting firms bbc.co.uk
13 June Victim Transport for London (TfL) is warning 13,000 staff - half its entire workforce - that their details have been stolen by CL0P, via following the Zellis payroll outsourcer MOVEit Transfer hack twitter.com/gazthejourno
13 June Victim Prudential Assurance Malaysia Berhad (PAMB) and Prudential BSN Takaful Berhad (PruBSN) can confirm that we are among many companies around the world that have been affected by the global MOVEit data-theft attack prudential.com.my
13 June Victim State of Missouri Issues Statement on Recent Global Cyberattack oa.mo.gov
14 June Victim Victims Listed on CL0P's leak site: 1st Source Bank, Datasite LLC, First National Bankers Bankshares Inc (FNBB), Green Shield (health services organization in Canada, only payer-provider in Canada), Heidelberger, Leggett & Platt, National Student Clearinghouse, ÖKK Kranken- und Unfallversicherungen AG, Putnam Investments, United HealthCare Services Inc, Shell, and the University of Georgia CL0P Data Leak Site
14 June Victim Johns Hopkins University Baltimore Sun
15 June Victim Victims added to CL0P's leak site: healthequity[.]com, synlab[.]fr, cuanswers[.]com, navaxx[.]lu, delawarelife[.]com, 316fiduciaries[.]com, enzo[.]com, careservicesllc[.]com, genericon[.]at, brault[.]us, aplusfcu[.]org, barharbor[.]bank, powerfi[.]org, eastwestbank[.]com CL0P Data Leak Site
15 June Victim BleepingComputer receives PR communications from victims of CL0P bleepingcomputer.com
15 June Victim US Department of Energy: Oak Ridge Associated Universities and Waste Isolation Pilot Plant (New Mexico) announce MOVEit breaches federalnewsnetwork.com
15 June Resource Progress Software issues an advisory of a 3rd vulnerability (No CVE or patch) progress.com
15 June Victim Louisiana Office of Motor Vehicles la.gov
16 June Resource Progress Software issues fix of 3rd vulnerability (No CVE) progress.com
16 June Victim Oregon Department of Transportation (ODOT) announces MOVEit breach oregon.gov
16 June Victim marti[.]com (Marti Group, Switzerland, Construction), pragroup[.]no (PRA Group, Norway, Finance (Debt)), columbiabank[.]com / umpquabank[.]com (Umpqua Bank, USA, Finance), umsystem[.]edu (University Of Missouri System, USA, Education, icsystem[.]com (IC System, USA, Finance (Debt)), arburg[.]com (ARBURG, Germany, Manufacturing (Plastics processing machines)), bostonglobe[.]com (Boston Globe, USA, Newspaper), cncbinternational[.]com (China CITIC Bank International Limited, Hong Kong, Finance), stiwa[.]com (Stiwa Group, Austria, Automation), cegedim[.]com (Cegedim, France, Tech/outsourcing services), aon[.]com (Aon PLC, Ireland, Professional Services), nuance[.]com (Nuance, USA, AI Tech) CL0P Data Leak Site
16 June Adversary CL0P claims on their leak site they "deleted all government data," are "only financial motivated [sic]," and, "do not care anything about politicis [sic]" CL0P Data Leak Site
16 June Capabilities CrowdStrike reports on a second critical MOVEit vulnerability (CVE-2023-35708) being exploited in the wild r/crowdstrike
19 June Victim palig.com (Panamerican), gesa.com (Gesa - USA - Finance (Credit Union)), telos.com (Telos - USA - Cyber Security), scu.edu (Santa Clara University - USA), skillsoft.com (Skillsoft - USA - Training programs), creelighting.com (IDEAL Industries Inc), nortonlifelock.com (Norton), stockmanbank.com (Stockman Bank - Montana, USA - Finance), baesman.com (Customer Relationship Management (CRM) software - USA), emsshi.com (Electronic Management Support and Services, Inc. - Hawaii, USA), cbeservices.com (CBE Services - Australia - Construction), zurich.com.br (Zurich Seguros - Brazil - Insurance) CL0P Data Leak Site
21 June Victim Cegedim didn't find any sign of compromise until June 9th, when they discovered new IOCs lemagit.fr
21 June Adversary CL0P wrote a statement saying the BBC is spreading propaganda for their own interest. They also claim they have deleted data from "30 companies that are government" and reasserted they are all about business and not politics. CL0P Data Leak Site
23 June Victim andesaservices.com (Andesa Services, Insurance, US), sony.com (Sony, Technology/Media, Japan), ey.com (Ernst & Young, Consulting, UK), pwc.com (PricewaterhouseCoopers, Consulting, UK), guscanada.ca (Global University Systems (GUS) Canada, Education, Canada) CL0P Data Leak Site
23 June Victim Harris Health System abc13.com
23 June Victim NYC DoE ny.chalkbeat.org
26 June Victim Wilton Reassurance Company apps.web.maine.gov
27 June Victim MSAMLIN[.]COM, WERUM[.]COM, SE[.]COM (Schneider Electric), SIEMENS-ENERGY[.]COM, UCLA[.]EDU (University of California, Los Angeles), ABBVIE[.]COM, PROSKAUER[.]COM, KIRKLAND[.]COM (KIRKLAND & ELLIS LLP), KOTAKLIFE[.]COM, STARMOUNTLIFE[.]COM, JACKSON[.]COM, CARESOURCE[.]COM, SAPIENS[.]COM, ENSTARGROUP[.]COM, COGNIZANT[.]COM, DELTADENTAL[.]COM, CPIAI[.]COM, DARLINGCONSULTING[.]COM CL0P Data Leak Site
27 June Victim Allegiant Air discloses exposure to MOVEit breach on 1 June 2023 twitter.com/bettercyber
28 June Victim Bloomberg reports that US Department of Health and Human Services (HHS) is impacted by the MOVEit breach due to a third-party incident. Records from more than 15 million compromised. bloomberg.com
29 June Victim KLGATES[.]COM, CITYNATIONAL[.]COM, HARRINGTONCOMPANY[.]COM, SOVOS[.]COM, RHENUS[.]GROUP, VERICAST[.]COM, IRONBOW[.]COM, DIGITALINSIGHT[.]COM, FISGLOBAL[.]COM, HORNBECKOFFSHORE[.]COM, CLICKSGROUP[.]CO[.]ZA, TRELLISWARE[.]COM, ENCORECAPITAL[.]COM CL0P Data Leak Site
4 July Information Infosecurity Magazine Podcast on the CL0P campaign infosecurity-magazine.com
6 July Information Progress Software has released a Service Pack to address three newly disclosed vulnerabilities (CVE-2023-36934, CVE-2023-36932, CVE-2023-36933) in MOVEit Transfer community.progress.com
7 July Information Huntress' Joe Slowik blogs about Reflecting on the MOVEit Exploitation huntress.com
10 July Victim DURR[.]COM, BARRICK[.]COM, BRADYID[.]COM, TDECU[.]ORG, UNITEDREGIONAL[.]ORG, KYBURZDRUCK[.]CH, CIENA[.]COM, NORGREN[.]COM, MERATIVE[.]COM, QUORUMFCU[.]ORG, TRANSPERFECT[.]COM, NEWERATECH[.]COM, BANKWITHUNITED[.]COM, CADENCEBANK[.]COM, WOLTERSKLUWER[.]COM, NETSCOUT[.]COM, PAYCOR[.]COM, ENERGYTRANSFER[.]COM, DELARUE[.]COM, TDAMERITRADE[.]COM, L8SOLUTIONS[.]CO[.]UK, UOFLHEALTH[.]ORG, KERNAGENCY[.]COM, FISCDP[.]COM, MARYKAY[.]COM, CYTOMX[.]COM, USG[.]EDU, AMERICANNATIONAL[.]COM, BCDTRAVEL[.]COM, AUTOZONE[.]COM, CROWE[.]COM CL0P Data Leak Site
10 July Victim Deutsche Bank, Postbank, Comdirect, ING via Majorel handelsblatt.com
10 July Adversary CL0P writes about an exchange they had with TD Ameritrade. The victim seemingly tried to negotiate with CL0P and offered $4 million USD to pay the ransom. The initial ransom demand is currently unknown, but likely higher. CL0P confirms that they stole the data from a "file transfer" server (MOVEit) and claims to have stolen "262gb + archives". CL0P Data Leak Site
10 July Capabilities Sophos analyzes CL0P's 2023 data extortion campaigns targeting GoAnywhere, PaperCut, and MOVEit servers news.sophos.com
11 July Victim RADISSONHOTELSAMERICAS[.]COM, WESTAT[.]COM, JPRMP[.]COM, FMFCU[.]ORG, JHU[.]EDU, VISIONWARE[.]CA, UMASSMED[.]EDU, VRM[.]DE, SMA[.]DE, RICOHACUMEN[.]COM, EMERSON[.]COM, TOMTOM[.]COM, BAM[.]COM[.]GT, PIONEERELECTRONICS[.]COM, RITEAID[.]COM, ARVATO[.]COM, SCCU[.]COM, AGILYSYS[.]COM, KALEAERO[.]COM, CONSOLENERGY[.]COM CL0P Data Leak Site
12 July Victim RADIUSGS[.]COM, CLEARESULT[.]COM, HONEYWELL[.]COM, NASCO[.]COM, JACKENTERTAINMENT[.]COM, AINT[.]COM, AMCTHEATRES[.]COM, SLB[.]COM, GRIPA[.]ORG CL0P Data Leak Site
12 July Victim Tennet security.nl
14 July Victim Jones Lang LaSalle (JLL) Human Resources twitter.com
19 July Victim Updated Additional Victims: PAYCOM[.]COM, MOTHERSON[.]COM, ASPENTECH[.]COM, DISCOVERY[.]COM, SHUTTERFLY[.]COM, ROCHESTER[.]EDU, YAKULT[.]COM[.]PH, UFCU[.]ORG, VOSS[.]NET, JTI[.]COM, REPSOLSINOPECUK[.]COM, PINNACLETPA[.]COM, ARIETISHEALTH[.]COM, SCHNABEL-ENG[.]COM, MYCWT[.]COM, HESS[.]COM, PRGX[.]COM, GRACE[.]COM, NOTABLEFRONTIER[.]COM, TJX[.]COM, VITESCO-TECHNOLOGIES[.]COM, VALMET[.]COM, FMGL[.]COM[.]AU, DESMI[.]COM, CFINS[.]COM, COMPUCOM[.]COM, SIERRAWIRELESS[.]COM, RCI[.]COM, AA[.]COM, JONASFITNESS[.]COM, COMREG[.]IE, SMC3[.]COM, ITT[.]COM, ALLEGIANTAIR[.]COM, OFCOM[.]ORG[.]UK, ESTEELAUDER[.]COM, BLUEFIN[.]COM, VENTIVTECH[.]COM, DMA[.]US, PWCCLINETSANDDOCUMENTS[.]COM CL0P Data Leak Site
19 July Victim CL0P created a dedicated domain to publish the data they claim they stole from the PwC MOVEit server CL0P Data Leak Site

Releases

No releases published

Packages

No packages published