The MOVEit Hack Affected BBC, British Airways, and Boots
Clop Ransomware, Allegedly Behind the Attack.
British Airways, Boots, and the British Broadcasting Corporation (BBC) all confirmed that tens of thousands of employees’ personal data was exposed due to a widespread breach that affected a popular file transfer tool.
It seems Zellis, a payroll provider company that BA, BBC, and Boots share, was the victim of a data breach. Canada’s Nova Scotia provincial government was also impacted.
Separate statements from Zellis and the Nova Scotia government confirmed that the organizations’ respective use of the MOVEit file transfer software resulted in the disclosure of sensitive information.
MOVEit Transfer is a managed file transfer that is used by organizations to securely transfer files via SFTP, SCP, and HTTP-based uploads.
British Airways, said it had informed affected workers and was offering assistance. Boots also reported that some of its employees’ private information had been compromised in the attack. The BBC has stated it is assisting Zellis “as they urgently investigate the extent of the breach.”, as per Reuters.
Last week, Progress Software – the company that owns the MOVEit file transfer tool disclosed a vulnerability that could have allowed hackers to intercept data being exchanged through the program, causing widespread concern in the security industry. The vulnerability is dubbed as CVE-2023-34362.
The SQL injection vulnerability could be exploited by an unauthenticated attacker to access the MOVEit Transfer database and steal sensitive information.
SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer’s database. (…) Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements.
The vulnerability affects all MOVEit Transfer versions; the cloud version is unaffected. The company has published Indicators of Compromise (IoCs) for this attack and encourages customers who see any of the indicators to inform the company’s security and IT teams immediately.
On Monday, MOVEit released a statement saying it had patched the exploited vulnerability and was collaborating with experts to investigate the matter and ensure they take all appropriate response measures.
Multiple security researchers have reported seeing this flaw being actively used by malicious actors, as per Security Affairs.
- Researchers at GreyNoise have noticed scanning activity for the /human.aspx login page of MOVEit Transfer as far back as March 3rd, 2023, so they advise Progress customers to look over suspicious activity logs from the last 90 days.
- Rapid7 experts had also discovered approximately 2,500 instances of MOVEit Transfer that were publicly accessible on the internet, with the majority of them located in the United States: “Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation.”
Who Is Behind the Attack?
According to the company’s Threat Intelligence team, the Lace Tempest group has previously exploited similar vulnerabilities to steal data from organizations around the world and extort them for ransom.
Microsoft researchers confirmed that the attackers used the vulnerability to deploy a web shell capable of data exfiltration. To exfiltrate files, threat actors use CVE-2023-34362 to authenticate as a user with the highest privileges.
The “cl0p team” confirmed responsibility for the breaches in an email to Reuters, saying “it was our attack” and that victims who refused to pay would be named on its website. A request for more information was not immediately responded to by the group.
All businesses that may be affected by the CVE-2023-34362 vulnerability are urged to apply security patches and follow the vendor’s mitigation recommendations.
According to CISA’s updated list of known exploited vulnerabilities, federal agencies in the United States have until June 23 to fix the security flaw in the Progress MOVEit Transfer managed file transfer (MFT) solution.