31 May |
Resource |
Initial Vendor Advisory, IOCs |
community.progress.com |
1 June |
Resource |
IOCs, Sigma & YARA Rules by Nextron Systems |
twitter.com/cyb3rops |
1 June |
Capabilities |
Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability since 27th Mary 2023, IOCs |
rapid7.com |
1 June |
Infrastructure |
GreyNoise has observed scanning activity for the login page of MOVEit Transfer located at /human.aspx as early as March 3rd, 2023 |
greynoise.io |
1 June |
Resource |
CrowdStrike shared FQL rules |
r/crowdstrike |
1 June |
Capabilities |
Huntress analysis of the MOVEit Transfer vulnerability, IOCs |
huntress.com |
1 June |
Capabilities |
TrustedSec MOVEit Transfer campaign analysis, IOCs |
trustedsec.com |
2 June |
Resource |
YARA rules for the Web Shell |
github.com/AhmetPayaslioglu |
2 June |
Resource |
Sigma rule for MOVEit exploitation |
github.com/tsale |
2 June |
Resource |
MOVEit Web Shell Checker |
github.com/ZephrFish |
2 June |
Information |
CVE-2023-34362 in MOVEit Transfer added to the NIST National Vulnerability Database |
nvd.nist.gov |
2 June |
Capabilities |
Mandiant campaign analysis, IOCs, YARA rules |
mandiant.com |
2 June |
Information |
CVE-2023-34362 in MOVEit Transfer added to the CISA Known Exploited Vulnerability (KEV) Database |
cisa.gov |
2 June |
Adversary |
Microsoft formally attributed the MOVEit Transfer campaign to the threat group called CL0P (aka Lace Tempest, FIN11, TA505) |
twitter.com/MsftSecIntel |
2 June |
Victim |
The University of Rochester mentions a "data breach, which resulted from a software vulnerability in a product provided by a third-party file transfer company, has affected the University and approximately 2,500 organizations worldwide." |
rochester.edu |
5 June |
Resource |
Identifying Data Exfiltration in MOVEit Transfer Investigations |
crowdstrike.com |
5 June |
Victim |
Austrian Financial Market Authority (FMA) files stolen from MOVEit software |
ots.at |
5 June |
Victim |
Zellis' MOVEit Transfer breached, impacting British Airways, BBC, Boots, and Aer Lingus, potentially others |
therecord.media |
5 June |
Adversary |
Clop ransomware claims responsibility for MOVEit extortion attacks via a ransom note on their leak site |
bleepingcomputer.com |
6 June |
Victim |
University of Rochester and the Government of Nova Scotia are the first known MoveIT victims in North America |
therecord.media |
6 June |
Capabilities |
Unit42's analysis of MOVEit attacks, also observed attacks starting on 27 May, additional IOCs |
unit42.paloaltonetworks.com |
7 June |
Adversary |
Clop ransomware tells those affected to email them before 14 June or stolen data will be published |
BBC |
7 June |
Victim |
BORN Ontario announces MOVEit breach |
bornontario.ca |
7 June |
Adversary/Capabilities |
FBI & CISA joint advisory on CL0P, details about other TA505 campaigns, and other incidents such as the GoAnywhere attacks, IOCs, YARAs |
cisa.gov |
7 June |
Victim/Capabilities |
SentinelOne's campaign analysis, hunting queries, IOCs |
sentinelone.com |
7 June |
Victim |
Extreme Networks declares having learned that their instance of MOVEit Transfer tool was impacted by a malicious act |
computerweekly.com |
8 June |
Capabilities |
Kroll's Timeline of the campaign (dating it back to 2021), IOCs |
kroll.com |
8 June |
Victim |
Synlad issues a press release acknowledging being a victim of Cl0p's MOVEit campaign |
synlab.fr |
9 June |
Resource |
Progress Software issues a new patch covering new vulnerabilities |
progress.com |
9 June |
Victim |
Illinois government among victims of global ransomware attack |
chicagotribune.com |
9 June |
Victim |
Minnesota Department of Education hit by cybersecurity attack |
cbsnews.com |
9 June |
Victim |
HSE states no more than 20 people's data breached in cyber-attack |
hse.ie |
9 June |
Capabilities |
Horizon3AI's analysis of the MOVEit Transfer campaign, accompanied by a Proof-of-Concept (PoC) for CVE-2023-34363, and IOCs |
horizon3.ai |
9 June |
Victim |
Landal informs guests about a data breach (MOVEit) |
landal.com |
12 June |
Victim |
Ofcom (the UK’s communications regulator) and Ernst & Young (EY), one of the 'Big 4' accounting firms |
bbc.co.uk |
13 June |
Victim |
Transport for London (TfL) is warning 13,000 staff - half its entire workforce - that their details have been stolen by CL0P, via following the Zellis payroll outsourcer MOVEit Transfer hack |
twitter.com/gazthejourno |
13 June |
Victim |
Prudential Assurance Malaysia Berhad (PAMB) and Prudential BSN Takaful Berhad (PruBSN) can confirm that we are among many companies around the world that have been affected by the global MOVEit data-theft attack |
prudential.com.my |
13 June |
Victim |
State of Missouri Issues Statement on Recent Global Cyberattack |
oa.mo.gov |
14 June |
Victim |
Victims Listed on CL0P's leak site: 1st Source Bank, Datasite LLC, First National Bankers Bankshares Inc (FNBB), Green Shield (health services organization in Canada, only payer-provider in Canada), Heidelberger, Leggett & Platt, National Student Clearinghouse, ÖKK Kranken- und Unfallversicherungen AG, Putnam Investments, United HealthCare Services Inc, Shell, and the University of Georgia |
CL0P Data Leak Site |
14 June |
Victim |
Johns Hopkins University |
Baltimore Sun |
15 June |
Victim |
Victims added to CL0P's leak site: healthequity[.]com, synlab[.]fr, cuanswers[.]com, navaxx[.]lu, delawarelife[.]com, 316fiduciaries[.]com, enzo[.]com, careservicesllc[.]com, genericon[.]at, brault[.]us, aplusfcu[.]org, barharbor[.]bank, powerfi[.]org, eastwestbank[.]com |
CL0P Data Leak Site |
15 June |
Victim |
BleepingComputer receives PR communications from victims of CL0P |
bleepingcomputer.com |
15 June |
Victim |
US Department of Energy: Oak Ridge Associated Universities and Waste Isolation Pilot Plant (New Mexico) announce MOVEit breaches |
federalnewsnetwork.com |
15 June |
Resource |
Progress Software issues an advisory of a 3rd vulnerability (No CVE or patch) |
progress.com |
15 June |
Victim |
Louisiana Office of Motor Vehicles |
la.gov |
16 June |
Resource |
Progress Software issues fix of 3rd vulnerability (No CVE) |
progress.com |
16 June |
Victim |
Oregon Department of Transportation (ODOT) announces MOVEit breach |
oregon.gov |
16 June |
Victim |
marti[.]com (Marti Group, Switzerland, Construction), pragroup[.]no (PRA Group, Norway, Finance (Debt)), columbiabank[.]com / umpquabank[.]com (Umpqua Bank, USA, Finance), umsystem[.]edu (University Of Missouri System, USA, Education, icsystem[.]com (IC System, USA, Finance (Debt)), arburg[.]com (ARBURG, Germany, Manufacturing (Plastics processing machines)), bostonglobe[.]com (Boston Globe, USA, Newspaper), cncbinternational[.]com (China CITIC Bank International Limited, Hong Kong, Finance), stiwa[.]com (Stiwa Group, Austria, Automation), cegedim[.]com (Cegedim, France, Tech/outsourcing services), aon[.]com (Aon PLC, Ireland, Professional Services), nuance[.]com (Nuance, USA, AI Tech) |
CL0P Data Leak Site |
16 June |
Adversary |
CL0P claims on their leak site they "deleted all government data," are "only financial motivated [sic]," and, "do not care anything about politicis [sic]" |
CL0P Data Leak Site |