Nova Scotia Health Patient Data Stolen via MOVEit Vulnerability

June 12, 2023

By the First Health team

The data tied to at least 100,000 employees of the Nova Scotia government’s public service branch, as well as Nova Scotia Health and the IWK Health Centre have been stolen, after a hack of a vulnerability in the entities’ managed file transfer (MFT) solution, Progress Software’s MOVEit Transfer. 

Government officials say their investigation suggests social insurance numbers, banking details, and contact information were stolen in the attack, affecting the payroll information of both current and former employees of the healthcare entities and the public service. 

The notice follows earlier reports that the Clop ransomware group stole troves of data from the BBC, British Airways and pharmacy chain Boots using the same bug. These entities were not directly hit by the attackers. Rather, the hack targeted their human resource and payroll provider Zellis. 

A joint Cybersecurity and Infrastructure Security Agency and FBI alert confirmed the ongoing MOVEit attacks were likely deployed by Clop. The group is behind the ongoing attacks against a previously unknown vulnerability in the Fortra GoAnywhere MFT, which has already successfully attacked over 130 organizations. These attacks also bear similarities to the massive exploit of the Accellion FTA in 2020. 

“Due to the speed and ease [Clop] has exploited the [MOVEit] vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks,” according to the alert. 

The scope of these attacks despite readily available software updates highlights the critical need for better visibility into the network, the speed of attackers, and the importance of better vulnerability management. 

Understanding the MOVEit Vulnerability, Healthcare Impacts

On June 1, Progress Software issued an alert for a SQL injection vulnerability (CVE-2023-34362) found in the MOVEit Transfer software, which could enable a threat actor to exploit the security flaw to escalate privileges, access the environment, and take control of an impacted system.  

The company first identified the vulnerability in May of 2023 and has since issued a patch for the impacted versions, while warning customers using outdate product to update to a supported version. 

CISA notes that evidence suggests, however, Clop began exploiting the flaw to install the LEMURLOOT web shells on the web applications around the same timeframe. The actors attempted to hide their presence using legitimate files.  

Upon successful deployment and authenticating, attackers can pass commands to the web shell to retrieve Microsoft Azure system settings, access the underlying SQL database, create new administrator privileged accounts with randomly generated usernames and values set to “Health Check Service,” and even delete accounts with real values. 

CISA added the MOVEit flaw to the Known Exploited Vulnerabilities (KEVs) Catalog on June 2. The joint alert provides network defenders with detection methods tied to malicious activity, along with indicators of compromise and other relevant remediation efforts. CISA also included IOCs for the Fortra GoAnywhere campaign, as well. 

It should be noted that eradicating the attackers after a successful hack may be complicated. As CISA noted, “if a victim rebuilds the web server but leaves the database intact, the CL0P user accounts will still exist and can be used for persistent access to the system.” 

The MOVEit application is used by a range of entities in the healthcare sector, including hospitals, clinics, and health insurers, according to a June 2 Department of Health and Human Services Cybersecurity Coordination Center (HC3) alert. 

“Sensitive information such as medical records, bank records, social security numbers, and addresses are at risk if this vulnerability is leveraged,” officials warned. Targeted entities may be subjected to extortion efforts. 

HC3 is urging any healthcare entities using the MOVEit platform to “take immediate action.” As seen with the compromise of British Airways, Boots, and BBC, network defenders should also consider that their vendors may be using the vulnerable platform and to take precautionary action. 

Clop’s Continued Healthcare Focus

New research from Kroll suggests that Clop has been experimenting with the MOVEit file transfer bug since 2021, reaffirming the group’s attention to planning for this and its other major exploitation events. A review by Kroll into the Microsoft Internet Information Services (IIS) logs of impacted clients revealed evidence Clop activity in multiple client environments in April 2022 and as early as July 2021. 

“The Clop threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation in February 2023, but chose to execute the attacks sequentially instead of in parallel,” according to the report. 

The previous activities suggest the hackers were “testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing,” the report added. 

Since 2019, Clop has targeted healthcare in force, effectively modifying their tactics for the biggest impact. They also don’t follow the same rules as other ransomware-as-a-service (RaaS) groups, as it “unabashedly and almost exclusively targets the healthcare sector,” according to a previous HJC3 alert on Clop. In fact, 77% of Clops attacks were against healthcare in 2021. 

“Continued and successful attacks demonstrate that this prolific group is still a viable threat to the healthcare sector,” the alert warned. “The probability of cyber threat actors like Clop targeting the healthcare industry remains high.” 

These reports, combined with repeated alerts on the group’s consistent targeting of the healthcare sector, should put network defenders on high alert. 

Organizations must have accurate application and asset inventories to inform their need to respond to threats as they appear.  These inventories must include non-traditional or enterprise applications, such as tools for sending files, infrastructure management tools, and other IT and security tools.  

Swift analysis of these threats and the organization’s exposure requires an organized inventory and the processes to analyze the exposure, if any, swiftly.  With respect to the MOVEit threat, healthcare organizations should move quickly to gauge their exposure and execute mitigation plans.  Some threats, when under active exploit, require immediate remediation action.