The National Student Clearinghouse Is The Latest Company To Be Pwned By MOVEit

In a breach notification letter, National Student Clearinghouse disclosed a data breach affecting 890 US schools using its services as part of the MOVEit campaign with stolen files containing a wide range of personal information.

“The relevant files obtained by the unauthorized third party included personal information such as name, date of birth, contact information, Social Security number, student ID number, and certain school-related records (for example, enrollment records, degree records, and course-level data). The data that was affected by this issue varies by individual,” the notice explained.

Clearinghouse provides educational reporting, data exchange, verification, and research services to roughly 22,000 high schools and around 3,600 colleges and universities that enroll roughly 97% of students.

Despite the widespread MOVEit victim pool we’ve seen over the past 4 months, researchers suggest that a limited number are likely to pay the ransom demand, but Clop the gang is still expected to collect about $75-100 million.

Steve Hahn, Executive VP, BullWall had this to say:

   “Ransomware has taken a dark turn this year. Double extortion techniques now mean the threat actors have two ways to monetize the event. Pay to decrypt your data. Pay to not have them release sensitive information on the web. With that, once unheard of targets, children, elderly and the sick have become the prime targets. Just this year threat actors have hit a breast cancer treatment facility and released pictures of women in vulnerable states that were being treated at the facility. They’ve also released student records, grades, disciplinary records and information on students’ sexual activity and identity as part of this data theft.

   “There is no bar too low for this new breed of criminals as we’ve seen the highest number of Ransomware Victims on record for Ransomware. Prevention just staves off the inevitable. Schools will be hit. They need a rapid containment strategy that can isolate those events once the attack begins unfolding. The only hope is to limit the damage and recover quickly when a determined threat actor is targeting these educational institutes. “

Emily Phelps, Director, Cyware follows with this:

   “Pervasive MOVEit transfer attacks continue to impact major organizations across a variety of industries. While a layered security approach – multifactor authentication, regular patches and updates, intrusion detection and prevention systems, etc. – play a pivotal role in defense, organizations must do more to move to a proactive cybersecurity posture. Organizations need access to reliable threat intelligence that can be automatically routed to the right people to rapidly take the right actions.”

Al Martinek, Customer Threat Analyst, concludes with this:

   “Over the past four months, the widely reported critical security flaw in the Progress MOVEit Transfer application (CVE-2023-34362) constantly reminds us of how important it is to remain vigilant in securing our IT infrastructure from potential cyber threat actors. CVE-2023-34362 poses a significant risk to all industries and sectors relying on MOVEit for file transfer operations. The active exploitation of this vulnerability by threat actors emphasizes the need for swift action. CL0P, for example, continues to exploit CVE-2023-34362 across a large array of organizations big or small.  

   “Notoriously known as a “Big Game” ransom hunter, CL0P also hones and sharpens their skills by targeting smaller organizations. Their main goals are to disrupt daily organizational cyber activity, stealing sensitive data (i.e. PII and PHI) and finding other opportunistic ways to disrupt or deploy further attacks. An attack targeting MOVEit’s web application could prove detrimental to any organization, because the application is responsible for interfacing with MySQL, Microsoft SQL Server, and Azure SQL database engines.  

   “It is becoming seemingly important for organizations, including educational institutions of all sizes, to shift their mindset regarding how they secure their systems and networks against cyber threat actors. Specifically, organizations must ask themselves whether paying millions of dollars in ransomware is worth not proactively investing in cybersecurity tools that would have alerted to and prevented such attacks and demand for money.  

   “ proactively warns customers about potential zero-day and N-day ransomware attacks and impacts so that they take immediate action to fix potential vulnerabilities and mitigate possible threats. Exploitation by any cyber threat actor poses a significant risk to organizations (especially the Education sector) relying on the MOVEit web application for file transfer operations. Key Impacts on these organizations includes:

  • Data Breaches and Intellectual Property Theft (including current and former employee data)
  • Operational Disruption and Downtime
  • Manipulation of File Transfers
  • Reputational Damage and Legal Consequences

Mitigation and Recommendations:

  • Implement Regular Pentest Cadence (NodeZero)
  • Apply Security Patches and Updates (Progress Security Advisory)
  • Implement Intrusion Detection and Prevention Systems
  • Conduct Regular Security Audits
  • User Awareness and Training

   “To mitigate these risks, organizations should promptly apply security patches, implement regular pentest cadence, implement intrusion detection and prevention systems, conduct regular security audits, and provide user awareness and training. By taking these proactive measures, organizations can enhance their security posture and minimize the potential impacts of CVE-2023-34362 and thwart possible attacks by groups such as CL0P. It is crucial for organizations to prioritize cybersecurity and remain vigilant in addressing vulnerabilities to protect their sensitive data and maintain the trust of stakeholders.”

Leave a Reply