The New York City Department of Education (NYC DOE) says hackers stole documents containing the sensitive personal information of up to 45,000 students from its MOVEit Transfer server.
Managed File Transfer (MFT) software has been used by NYC DOE to securely transfer data and documents internally and externally to various vendors, including special education service providers.
NYC DOE patched servers as soon as the developer disclosed information about the exploited vulnerability (CVE-2023-34362); however, the attackers were already abuse the bug in large scale attacks like zero day before security updates are available.
The affected server was taken offline after the breach was discovered, and NYC DOE is working with NYC Cyber Command to resolve the incident.
“We also conducted an internal investigation, which revealed that some DOE records were affected. The review of affected records is ongoing, but preliminary results indicate that approximately 45,000 students, in addition to DOE staff and related service providers, have been affected.” NYC DOE COO Emma Vadehra said in a statement released over the weekend.
“About 19,000 documents were accessed without permission. The types of data affected include social security numbers and employee identification numbers (not necessarily for all data subjects; for example, about 9,000 social security numbers have was included).
“The FBI is investigating the broader breach which affected hundreds of entities; we are currently cooperating with the NYPD and FBI in their investigation.”
The Clop ransomware gang has claimed responsibility for the CVE-2023-34362 MOVEit Transfer attacks on June 5 in a statement shared with BleepingComputer, the cybercrime gang claiming to have breached the MOVEit servers of “hundreds of companies”.
kroll too evidence discovered that Clop had been actively testing exploits for the now patched zero-day MOVEit since 2021 and researching methods to extract data from compromised servers since at least April 2022.
Clop’s involvement in this massive data theft campaign is part of a larger scheme of targeting MFT platforms.
Previous examples include violation of Accellion FTA servers in December 2020, SolarWinds Serv-U servers in 2021, and the widespread exploitation of GoAnywhere MFT servers earlier this year in January.
Clop is already extorting impacted organizations
The Clop Gang started extorting organizations affected by the MOVEit data theft attacks nearly two weeks ago, on June 15, by publicly listing their names on Clop’s dark web data leak site.
Shell, University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, UnitedHealthcare Student Resources (UHSR), and Landal Greenparks are just a few of the organizations that have confirmed to BleepingComputer that they are impacted. .
Other victims who have already disclosed breaches related to the MOVEit Transfer attacks include the US state of MissouriTHE US state of Illinois, Zellis (as well as its customers BBC, Boots, Aer Lingus and the Irish HSE), OfcamTHE Nova Scotia governmentTHE American Board of Internal MedicineAnd Extreme networks.
The US Cybersecurity and Infrastructure Security Agency (CISA) revealed that several US federal agencies were also compromised, as reported CNN. Federal News Network said the attacks also affected two entities of the United States Department of Energy (DOE).
Progress warned MOVEit Transfer customers last week to restrict HTTP access to their servers after info on a new security flaw by SQL injection (SQLi) (CVE-2023-35708) has been posted online.
This warning came after another review revealed several other critical SQL injection vulnerabilities collectively tracked as CVE-2023-35036.