Here we go again: Medibank affected by another major cyber attack

Revealing itself as the latest on an extensive list of victims of the MOVEit hack, Australia’s largest private health insurer confirmed that it was a user of the cloud file transfer service.

A spokesperson from Medibank has said that local MOVEit vendor Ipswitch contacted them to inform them that vulnerabilities had been detected and used by threat actors.

“We were advised by the vendor Ipswitch about some vulnerabilities discovered in MOVEit — a software system we use to share information with external parties — and have promptly applied all the vendor’s recommended security patches,” said the spokesperson.

“We continue to investigate and work closely with the vendor, and at this stage, we are not aware of any of our customers’ data being compromised.”

The attack comes after Medibank was hit by a catastrophic cyber attack last year, which affected 9.7 million customers.

The REvil threat group demanded $15.6 million, which the organisation refused to pay. The hackers had claimed to have stolen 200GB worth of data compressed down to 5GB.

After refusing to pay, the hackers released a folder claiming to be the entirety of the stolen data.

Other than Medibank, the MOVEit supply chain hack has claimed a number of major organisations, including PricewaterhouseCoopers (PwC), the US Department of Energy and more.

What is the MOVEit hack?

VIEW ALL

In late May, Progress Software announced that the company had detected a vulnerability in its secure file transfer software MOVEit Transfer.

“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorised access to the environment,” the company outlined.

“All MOVEit Transfer versions are affected by this vulnerability.”

Just days later, Microsoft attributed the attack to Russia’s Lace Tempest cyber gang, also known as the Clop gang.

The nature of the hack allows Clop to “authenticate as any user”, enabling criminal actors to operate with the highest possible privileges and deploying malicious scripts to exfiltrate data.

Just how widespread is the attack?

Progress Software initially confirmed the existence of the MOVEit vulnerability on 31 May, though cyber security researchers at Rapid7 have observed that the initial comprise dates to 27 May, with data exfiltration beginning the following day.

A patch was released 24 hours after the initial announcement.

Rapid7 said it has observed around 2,500 instances of the vulnerable software on the public internet, and while an updated version of the software is now available, Progress recommends that users of MOVEit Transfer update their firewall rules, review accounts for unauthorised users, update remote access policies, and enable multifactor authentication.

To date, both government and private users have been identified as victims of the cyber breach.

In mid-June, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) announced that a number of government departments, including the Department of Energy, had records compromised as part of the file-sharing service attack.

No other agencies have been named specifically, but a spokesperson for CISA said that the list is small and does not include any military or intelligence agencies.

Alongside the US government, organisations such as the BBC and British Airways have also fallen victim to Clop’s attack on MOVEit and have received extortion demands via the threat group’s dark web leak site.

“Clop is one of top organization offer penetration testing service after the fact,” Clop’s ransom notice read, written in broken English.

“This is announcement to educate companies who use progress MOVE1t [sic] product that chance is that we download alot of your data as part of exception, exploit we are the only one who perform such attack and relax because your data is safe.”

“You have 3 day to discuss price and if no agreement you custom page will be created … after 7 days all you data will start to be publication,” the note read.

“You chat will close after 10 not productive day and data will be publish.”

Both the FBI and CISA have released a range of advisories on the vulnerability and how to mitigate against it. Here are the key actions to take:

• Perform an inventory of assets and data, as well as any unauthorised devices.
• Grant admin privileges only where needed; establish an allowed software list.
• Monitor network ports and protocols; activate security configurations on network infrastructure devices.
• Patch and update software regularly; conduct regular vulnerability assessments.

“FBI and CISA encourage organisations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Clop ransomware and other ransomware incidents,” the CISA advisory read.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.