Cl0p Attack on National Student Clearinghouse Threatens 890 Schools

The nonprofit National Student Clearinghouse - which provides educational reporting, data exchange, verification, and research services to roughly 22,000 high schools and 3,600 universities - has been the victim of data exfiltration.

‍

The Cl0p ransomware gang allegedly gained access to the organization’s databases leveraging a known and patchable vulnerability in the  MOVEit managed file transfer (MFT) software, part of a wave of attacks using the same method of compromise.

‍

The breach exposed personally identifiable information (PII) including names, Social Security numbers, dates of birth, contact information, student ID numbers, some school-related records.

‍

"On May 31, 2023, the Clearinghouse was informed by our third-party software provider, Progress Software, of a cybersecurity issue involving the provider's MOVEit Transfer solution," Bleeping Computer reports.

‍

"After learning of the issue, we promptly initiated an investigation with the support of leading cybersecurity experts. We have also coordinated with law enforcement."

‍

Takeaway: Attackers are getting more efficient at exploiting vulnerabilities, and this trend is likely to continue as threat actors automate aspects of their attack sequences.

‍

This is evident than in the continued exploitation of a vulnerability in the MOVEit managed file transfer software (CVE-2023-34362) the Cl0p ransomware gang used to compromise more than 1000 victims in rapid succession over the summer.

‍

Cl0p attacks typically include the delivery of a ransomware payload, but the group has more recently been observed shifting to straight data exfiltration and extortion in some of their more recent operations.  

‍

Whether or not Cl0p has been successful in effectively monetizing these compromises to collect the ransom demands is still unclear.  

‍

The bad news is that as attackers are getting more proficient at automating aspects of the attack progression by exploiting known vulnerabilities for initial access, improving stealthy payload delivery, fine tuning evasion techniques, and exponentially improving encryption speeds, we will likely continue to see an escalation in attacks.

‍

The good news is that given these attacks leverage exploits for well-documented vulnerabilities means we have the opportunity to detect and stop these ransomware operations earlier in the attack sequence.

‍

Many of the TTPs they employ are common and should help to reveal a host of detectable activity on the network that occurs long before the actual ransomware payload is delivered.

‍

The exposing of student data will continue to put them at risk of extortion, identity theft and financial fraud for the foreseeable future. Schools need more resources to protect vulnerable students, but they cannot do this without adequate funding.  

‍

It comes down to a choice, and thus far we have not collectively made the choice as a society to adequately invest in protecting our students and schools from the most nefarious of international criminal organizations.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).