Dental benefits provider Delta Dental faces a massive data breach affecting 7M Americans due to a security flaw in MOVEit app. (IT World Canada)
A dental benefits provider, Delta Dental of California, disclosed a massive data breach affecting nearly 7 million U.S. residents. The breach, considered one of the largest involving the MOVEit file transfer application, compromised subscribers' personal information, including names, financial account numbers, credit/debit card details, security codes, passwords/PIN numbers, and, in some cases, passport numbers.
This incident ranks as the third-largest publicly confirmed data theft from a single company, as reported by Emsisoft. The largest theft was from Maximus Inc., a U.S. government services provider, which had information on 11.3 million individuals pilfered from its MOVEit Transfer system.
The Clop/Cl0p ransomware gang has claimed responsibility for exploiting a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit application. This vulnerability, rated 9.8 out of 10 in severity, enabled the bypassing of multifactor authentication in both on-premises and cloud versions of the software.
Emsisoft's data indicates that U.S.-based organizations accounted for 78.4% of the known victims, followed by Canada-based victims at 13.8% and Germany-based at 1.4%. The most affected sectors were education (40.0%), health (19.6%), and finance and professional services (12.7%).
Kroll LLC researchers detailed the primary compromise technique, involving the deployment of a web shell to inject a session or create a malicious account. This granted threat actors the ability to reauthenticate and utilize the MOVEit application for file transfers. In some cases, the attacker provided three variables to the web shell—organization ID, folder ID, and file name—which were used to execute MOVEit API calls for file enumeration and data exfiltration. The initial wave of coordinated attacks across MOVEit servers employed a Python script for data exfiltration.
Forensic analysis by Kroll suggests that the Clop gang had likely been experimenting with exploiting this vulnerability since 2021, indicating a prolonged effort to target MOVEit systems.
