The massive software supply chain hack exploiting the MOVEit Transfer vulnerability has yielded yet more victims including US government agencies and Shell. Cl0p, the ransomware gang behind the attack, has added a host of other companies that have been compromised in the attack to its dark web blog, and given them a deadline of 21 June to pay a ransom or face the data being published. The exact number of victims is unclear, but Cl0p claims on the blog to have infiltrated “hundreds” of companies.

Shell Oil hit in ongoing MOVEit attack. (Photo by Siron Photography/Shutterstock)

The deadline for the first batch of high-profile victims, which included the BBC and British Airways (BA) passed yesterday. No data has been released at the time of writing, and it is not clear if any ransom demands have been met.

Cl0p ransomware posts new victims of MOVEit Transfer vulnerability

The attack, utilising a zero day vulnerability in widely used file transfer software MOVEit Transfer, began earlier this month. A zero day exploit is a software bug that has not been declared to the company and consequently has no workarounds or patches, a holy grail for cybercriminals.

Many of the UK victims saw data stolen after payroll software company Zellis, which uses MOVEit Transfer, was compromised, giving criminals access to its systems and client data. Zellis used by half of FTSE 100 companies.

Other victims are emerging every day. Shell told customers yesterday that the company is “aware of a cybersecurity incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers.”

Meanwhile, Eric Goldstein, executive assistant director for cybersecurity at US cybersecurity agency CISA told CNN yesterday that the agency is “providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications”.

The new batch of companies posted to Cl0p’s blog includes two financial institutions, First National Bank and 1st Source, as well as Boston-based investment management company Putnam Investments and German mechanical engineering company Heidelberg.

Canadian health non-profit GreenShield Canada was on the blog but has since been taken down. Other victims include student health insurance provider United Health Student Resources, educational non-profit National Student ClearingHouse, US manufacturer Leggett and Platt, Swiss insurance company ÖKK and the University of Georgia.

The amount of ransom being demanded from each company has not been published.

Tech Monitor has reached out to the above victims but has not heard back at the time of writing. None of the data that Cl0p claims to have downloaded has yet been posted to the dark web.

Many of the victims have come forward themselves

Other victims of Cl0p’s MOVEit Transfer attack have outed themselves despite not seeing any data published yet. UK communications regulator Ofcom said in a statement on Monday that confidential personal data had been downloaded during an attack.

The government of Nova Scotia has said it was “breached as part of a global security issue”, while US university Johns Hopkins admitted to an intrusion at the hands of Cl0p, saying it is “investigating a recent cybersecurity attack targeting a widely used software tool.”

Progress Software describes the exploit as an SQL injection flaw that allows for “escalated privileges and potential unauthorised access” on targeted systems.

A patch has been available, but with more than 3,000 internet-facing servers running MOVEit Transfer, many businesses may have been exposed.

The UK’s National Cyber Security Centre published an advisory on the breach on Monday, saying it “strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates.”

Known to have been active for the last couple of years, Cl0p’s other high-profile attacks include breaches of print management company PaperCut and security company Fortra, which saw the data of 63,000 children compromised.

Read more: Killnet, REvil and Anonymous threaten attack on Europe’s financial system