The MOVEit vulnerabilities may have been patched by now, but the APT group CLOP is just getting started with its blackmail. A total of 52 names of companies that CLOP claims to have attacked via the MOVEit vulnerability have been published - in some cases even the first data packages or the entire data booty.
Somehow the CLOP group doesn't quite believe its Robin Hood demeanor: the APT group only claims to take money from big companies. The captured data from public and government agencies had already been deleted because the group was not interested in politics. However, some experts are of the opinion that deleting government data is only intended to make fewer enemies. At the same time, the group announces that it will publish even more company names over time, affected by the MOVEit vulnerability and attacked.
Over 52 names published on the dark web
The currently published list of 52 names includes some well-known names. As a German company, there are names such as Heidelberger Druckmaschinen AG. The name Verivox, on the other hand, has disappeared from the list again. However, Verivox itself reports in a press release that data has been lost: “After the security gap became known, Verivox immediately took the MOVEit environment at Verivox offline to prevent unauthorized data access. Subsequent forensics revealed that data about this critical vulnerability had been stolen prior to the shutdown of the MOVEit environment at Verivox.” Since they are no longer on the list, there are three options: the data were of no interest to CLOP, or they negotiate again, or they paid.
Security provider NortonLifeLock was also affected
Internationally, there are some important names on the CLOP list: Shell, the Boston Globe, software manufacturer Nuance, Sony, the auditors Ernst & Young and PWC, the insurer Zurich. It is of course unclear whether all of these companies lost really important data or not. It is also not clear whether any data was stolen via third parties.
For many media, the name NortonLifeLock was particularly interesting as a security provider. At the request of TheCyberexpress management stated that no customer data had been lost. However: "Unfortunately, some personal data of permanent employees and contingent workers was affected, including information such as name, company email address, employee ID number and in a few cases also home address and date of birth," according to a spokesman for NortonLifeLock .
First data published on the dark web
CLOP states that no one other than their group had and used the exploit for the vulnerability. Since some companies have not entered into negotiations, they are now publishing their data. Such as that of the company Heidelberger Druckmaschinen AG. On the dark web, CLOP offers around 750 MB of packed data for download. However, it is questionable whether these are authentic.
Many other companies also do not enter into a deal with CLOP. Of the 52 companies currently listed, all data is already available on the Darknet for about 12 companies, and the first parts of the data are available for another 2. It is good to see that many companies do not pay any money to CLOP and thus do not co-finance further attacks.