Almost 7 million U.S. residents are being notified by a dental benefits provider that their personal information was stolen in one of the biggest single attacks involving the MOVEit file transfer application.
Delta Dental of California and its affiliates, which provide dental benefits to individuals through commercial groups, said the attacker copied subscribers’ names, Delta financial account number or their credit/debit card numbers, along with security access codes, passwords or PIN numbers with the accounts. Passport numbers in some cases were also copied.
According to numbers tracked by Emsisoft, this is the third biggest publicly confirmed data theft from an individual company so far. The biggest is Maximus Inc., a U.S. government services provider, which said information on 11.3 million people was stolen from its MOVEit Transfer system.
The Clop/Cl0p ransomware gang has taken credit for discovering and exploiting a zero day vulnerability allowing it to bypass multifactor authentication on both on-premises and cloud versions of Progress Software’s MOVEit application.
The vulnerability, CVE-2023-34362, has been assigned a severity rating of 9.8 out of 10.
U.S.-based organizations account for 78.4 per cent of known victims, Emsisoft says, Canada-based 13.8 percent and Germany-based 1.4 per cent. The most heavily impacted sectors are education (40.0 percent), health (19.6 percent), and finance and professional services (12.7 percent).
According to researchers at Kroll LLC, the most common technique of compromise involved a dropped web shell to inject a session or create a malicious account. From there, threat actors were able to reauthenticate and use the MOVEit application itself to transfer files.
However, in a few instances, the attacker passed three variables to the web shell: The organization ID, the folder ID and the file name. From there, the web shell utilized MOVEit API calls for file enumeration and data exfiltration. A Python script was used exfiltrate data during the initial wave of co-ordinated and largely automated attacks across MOVEit servers.
Kroll forensic analysis has also seen activity suggesting the Clop gang was likely experimenting with ways to exploit this particular vulnerability as far back as 2021.