Last week I chatted with @mattburgess at WIRED about the long tail of fallout from #MOVEit. Read my comments and the excellent article by Matt and @lhn here:
Progress Software is having an interesting time. First #MOVEit, now multiple #vulnerability disclosures for their #WS_FTP product. The silver lining here is that it doesn’t look like any of these are known to have been exploited in the wild. (Yet?)
But out of curiosity, we looked at the Internet exposure of WS_FTP instances with the Ad Hoc Transfer module installed, read about it here ⬇️
The National Student Clearinghouse has submitted a notification to the California AG listing almost 900 schools which were impacted by #MOVEit. How many current and former students were affected remains unclear.
This week, Nuance (a MSFT-owned tech firm) disclosed a number of their clients who are HIPAA-covered entities were affected by the MOVEit breach. They did not reveal numbers and their disclosure is not on HHS's public breach tool yet.
MOVEit, the biggest hack of the year, by the numbers
on August 25, the number of known victim organizations crossed the 1,000 milestone and the number of impacted individuals surpassed the 60 million mark
US-based organizations account for 83.9% of known corporate victims
$9,923,771,385 - is the estimated total cost of the MOVEit mass-hacks so far
RiteAid was just one of many victims of the #MOVEit#databreach by #Clop. Now they're being sued by plaintiffs who call them "reckless" and "negligent" for not having encrypted the protected health information.
Imagine if every covered entity or business associate who didn't encrypt #PHI got hacked was sued over a vendor breach.
In this day and age where healthcare entities are under siege, is it somewhat reckless or negligent not to encrypt? And if not, will it ever be generally considered reckless and negligent?
#Cybersecurity#Hacking#MOVEit: "Just as the number of known victim organizations crossed the 1,000 milestone on August 25, the number of impacted individuals also surpassed the 60 million mark.
This figure, published by Emsisoft, is sourced from state breach notifications, SEC regulatory filings and other public disclosures. Emsisoft notes that while there will invariably be some overlap in terms of individuals impacted, the number is only likely to increase as more organizations continue to confirm MOVEit-related data breaches.
U.S.-based organizations account for 83.9% of known MOVEit corporate victims, according to Emisoft’s researchers. Organizations in Germany account for about 3.6% of total victims, followed by Canadian companies at 2.6% and firms in the United Kingdom at 2.1%."
#Cl0p has listed multiple companies claimed to be clients of EY including #AirCanada, #UofT, #Telus and #CRA Electronic Resources. Cl0p has also posted multiple zip files. Which, if any, of the companies the zips relate to is not stated. #MOVEit
Clop just removed Maximus - which provides IT for Medicaid, Medicare and more gov't programs - after the company confirmed 10 million people may have had their info accessed
Deloitte confirmed to me that they were affected: "Our analysis determined that our global network use of the vulnerable MOVEit Transfer software is limited. Having conducted our analysis, we have seen no evidence of impact to client data."
"Immediately upon becoming aware of this zero-day vulnerability, Deloitte applied the vendor’s security updates and performed mitigating actions in accordance with the vendor’s guidance."
According to Emsisoft, there are now more than 500 victims.
A bunch of people have alerted me to a vulnerability in #MoveIT, a secure file transfer app used heavily in the UK.
I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups.
Really serious, impacted orgs should shut down the server. Thread follows. #threatintel