Skip to content
Hackers exploited a vulnerability in MOVEit Transfer software last week to access various information which is now worrying a number of UK firms & their staff.
A ransomware group called ‘Clop’ has claimed responsibility for the breaches, that are centred around the MOVEit file transfer software.
In an email to Reuters on Mon, the hackers stated “it was our attack” & that victims who refused to pay a ransom would be named & shamed on the group’s website.
Russian-Speaking
Microsoft’s work suggested that the Russian-speaking ransomware gang was behind this attack. Last week it emerged that a so-called zero-day vulnerability – a flaw – in the file transfer system MOVEit, produced by Progress Software, had been used by cyber criminals.
It allowed the hackers to access information on a range of global companies using MOVEit Transfer. 1,000s of firms are thought to be affected.
UK-based payroll provider Zellis confirmed on Mon. that 8 of its clients were amongst them. It did not name them.
BBC & Boots
BA, however, confirmed it had been entrapped. The airline employs 34,000 people in the UK. The BBC & Boots, which has 50,000 staff, revealed that they had been affected too.
They did not believe its employees’ bank details had been exposed, although company ID & national insurance numbers were compromised. Experts suggested that corporate victims could expect the group responsible to contact with a list of demands ‘within weeks.’
In this case, the compromised information included contact details, national insurance numbers & bank details.
MOVEit
BA explained: “We have been informed that we are one of the companies impacted by Zellis’s cyber-security incident which occurred via one of their 3rd-party suppliers called MOVEit.
“Zellis provides payroll support services to 100s of companies in the UK, of which we are one.
“This incident happened because of a new & previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support & advice.”
Data Vulnerability
A Boots spokesperson explained: “A global data vulnerability, which affected a 3rd-party software used by one of our payroll providers, included some of our team members’ personal details.
“Our provider assured us that immediate steps were taken to disable the server, & as a priority we have made our team members aware.”
Zellis said in its statement: “A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software’s MOVEit Transfer product.
“We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them.
Unaffected
“All Zellis-owned software is unaffected & there are no associated incidents or compromises to any other part of our IT estate.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software & engaging an expert external security incident response team to assist with forensic analysis & ongoing monitoring.”
Charles Carmakal, Chief Technology Officer at Google Cyber Security specialist Mandiant Consulting, outlined “At this stage it is critical for victim organisations to prepare for potential extortion, publication of stolen data, & victim shaming.
Threat Actor
“It is likely that the threat actor will soon begin to make contact with extortion demands & begin to work through their list of victims.
“Mandiant’s investigations into prior campaigns from the suspected threat actor show that extortion demands are usually in the 7 or 8 figure range, including a few demands for more than $35m.
“Any organisation that had the MOVEit web interface exposed to the internet should perform a forensic analysis of the system, irrespective of when the software was patched,” he warned.
“Watch out for scammers too. Some of our clients impacted by the MOVEit exploitation received extortion emails over the weekend.
“The extortion emails were unrelated to the MOVEit exploitation & were just scams, but organisations could easily confuse them as being authentic.”
Top Priority
A MOVEit spokesperson explained, “Our customers have been, & will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue & provided immediate mitigation steps.”
“We disabled web access to MOVEit Cloud to protect our cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched & re-enabled MOVEit cloud, all within 48 hours. We have also implemented a series of 3rd-party validations to ensure the patch has corrected the exploit.”
Federal Law Enforcement
“We are continuing to work with industry-leading cyber-security experts to investigate the issue & ensure we take all appropriate response measures. We have engaged with Federal Law enforcement & other agencies with respect to the vulnerability.”
“We are also committed to playing a leading & collaborative role in the industry-wide effort to combat increasingly sophisticated & persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.”
