The number of victims of MOVEit file transfer software continues to grow, and the victims now include several U.S. government agencies.
Even though the full list of agencies targeted was not disclosed by CISA, it was revealed that the Department of Energy was one of those targeted.
Multiple sources claims that Oak Ridge Associated Universities and the DOE’s Waste Isolation Pilot Plant near Carlsbad, New Mexico, experienced data breaches involving the MOVEit vulnerability. The DOE confirmed the report, although it noted that it did not affect agency data.
It is believed that more and more victims continue to come to light. Since a report last week detailing victims, including the BBC, British Airways Plc and the pharmacy chain Boots UK Ltd., had been targeted through a MOVEit attack on payroll company Zellis UK Ltd., the list of victims has grown.
Clop has listed thirteen companies and organizations on its dark web leaks site. Several of those listed have since confirmed that they have been victims: Shell Plc, UnitedHealthcare Student Resources, the University of Georgia, the University System of Georgia, Heidelberger Druckmaschinen AG and Landal Greenparks.
Clop is also reportedly demanding that victims pay a ransom, or they will start publishing stolen data on June 21.
MOVEit is managed file transfer software designed to provide secure and compliant file transfers for sensitive data within and between organizations. The vulnerability, officially designated CVE-2023-34362, allows an unauthenticated, remote attacker to send a specially crafted SQL injection to a vulnerable MOVEit Transfer instance.