Cyber Incident Victim: AmeriSave Mortgage

The incident involving AmeriSave Mortgage Corporation was part of a widespread and coordinated cyberattack campaign executed by the Clop ransomware group. This campaign exploited a previously unknown vulnerability, a zero-day, in Progress Software’s MOVEit managed file transfer software. The initial exploitation activity by the Clop group began around May 29 and May 30, 2023. This timing was strategically chosen to coincide with the Memorial Day holiday weekend in the United States, a period often characterized by reduced security staffing, potentially increasing the likelihood of successful undetected intrusion. Progress Software, the developer of MOVEit, became aware of the vulnerability and issued a patch on May 31, alongside a security alert urging all customers to immediately update their software to mitigate the threat.

AmeriSave Mortgage, a financial services organization, was identified as a victim of this attack in the days leading up to June 27, 2023. On that date, the Clop group added AmeriSave Mortgage to its data leak site along with approximately 70 other organizations. This public listing on a criminal website indicated that the threat actors had successfully exfiltrated data from the company's systems and were threatening to release it publicly. The method of compromise was the exploitation of the MOVEit vulnerability, which allowed the attackers to gain unauthorized access to file transfer servers used by the company. The specific internal systems at AmeriSave that were directly breached were those running the vulnerable MOVEit software, which is commonly used for internal and external secure file sharing.

The scope of the incident for AmeriSave Mortgage, in terms of precise data volumes or the exact number of affected individuals, was not explicitly detailed in the public reporting. However, the context of the broader attack campaign provides insight into the potential severity. The attack against AmeriSave was part of a massive data theft spree that ultimately affected at least 516 organizations directly or indirectly. The total number of individuals impacted across all victims was estimated to be at least 36 million, based on data breach notifications issued by a fraction of the affected organizations. The financial services sector, which includes mortgage companies like AmeriSave, was noted as one of the sectors accounting for the greatest number of known incidents within the MOVEit campaign.

The impact of the breach was the confirmed theft of data. By being listed on Clop's leak site, AmeriSave Mortgage joined a large cohort of victims whose data was stolen and held for ransom. The attackers employed a double-extortion tactic, where they not only stole data but also threatened to publish it to pressure the victim into paying a ransom. The nature of the data stolen from AmeriSave's MOVEit server was not specified, but given the company's business in mortgage lending, it is plausible that it contained sensitive personal and financial information of customers. This could include names, addresses, Social Security numbers, and financial details, which are highly valuable to cybercriminals for identity theft and fraud. The reputational damage associated with such a data breach is a significant consequence, potentially eroding customer trust.

In response to the broader threat, the software vendor, Progress Software, took action by developing and releasing a security patch on May 31. This patch was the primary technical response to contain the vulnerability and prevent further exploitation. For individual victims like AmeriSave Mortgage, the standard response process began with detection. Organizations were alerted to the problem through the vendor's security advisory, prompting them to investigate their own MOVEit implementations. Upon discovering a compromise, the standard procedure involved initiating an investigation, often with the assistance of third-party digital forensic investigators, to determine the scope of the intrusion and identify what specific data was accessed and exfiltrated.

The containment phase for victims involved immediately applying the available patch to their MOVEit servers to prevent continued or new access by the threat actors. This action severed the initial attack vector. Furthermore, organizations typically reviewed access logs and system configurations to understand the extent of the breach and ensure no other persistent threats remained within their network environment. The subsequent phase was remediation and notification. While the specific details of AmeriSave's internal response were not publicly disclosed, common practices following such breaches include directly notifying affected individuals and regulatory bodies as required by law. Companies often provide affected individuals with offers for credit monitoring and identity theft protection services to help mitigate the potential downstream effects of the data exposure. The financial impact on AmeriSave would likely include the costs associated with the forensic investigation, crisis management, customer notification efforts, and the provision of these protective services.

The incident had secondary impacts due to the nature of how MOVEit is used. Many organizations that utilize the software are service providers, meaning they hold and transfer data on behalf of other companies. When Clop breached a service provider, it resulted in a cascade of data breaches affecting all of that provider's clients. While AmeriSave was listed as a direct victim, it is possible its data was also compromised through a third-party service provider it utilized, though this was not explicitly stated. The breach of Pension Benefit Information (PBI) Research Services exemplified this supply chain effect, leading to millions of individuals at financial firms like TIAA and Corebridge Financial being notified that their data was stolen from PBI's MOVEit server. The attack on AmeriSave Mortgage therefore represents a single node within a vast cyber incident that impacted millions of people and hundreds of organizations across multiple critical sectors, including education, healthcare, and government contracting. The Clop group's campaign demonstrated the severe ripple effects that can occur when a vulnerability is exploited in a widely used software product that forms a key part of many organizations' operational infrastructure.