A growing list of global companies appear to have been affected by a zero-day vulnerability found recently in popular file transfer software which has been exploited by the Clop ransomware gang.
Reports suggest that the BBC, BA, Boots and the government of Nova Scotia are among those affected thus far, although Sky News claimed that “thousands” of organizations have been impacted.
Several victims including BA and Boots are thought to be customers of payroll provider Zellis, which admitted in a brief statement that a “small number of our customers” had been impacted.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilizes Moveit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” it added.
The bug in MOVEit Transfer and MOVEit Cloud, for which a patch was released on May 31, was first exploited by the extortionist group on the weekend of May 27. Microsoft attributed the attacks to Clop affiliate Lace Tempest (FIN11) yesterday.
Read more on the MOVEit flaw: Critical Zero-Day Flaw Exploited in Moveit Transfer.
There appears to be no ransomware payload used in this campaign. Rather, it involves a more straightforward data theft and ransom modus operandi, with firms unwilling to pay the fee likely to have their information published on the Clop leak site.
At least in those cases, stolen data will include employee details such as the National Insurance numbers of BBC staff. However, this will vary for other affected companies depending on how they use the MOVEit software.
The National Cyber Security Centre (NCSC) released a brief statement urging MOVEit customers “to take immediate action by following vendor best practice advice and applying the recommended security updates.”
Kingsley Hayes, head of data and privacy litigation at Keller Postman UK, warned organizations that they would still be liable for data losses.
“While it was Moveit that was hacked, employers remain responsible for the security of their employee data,” he added. “Following the breach, the ICO will likely want to know more about the affected organizations’ security measures, and their relationships with Zellis in regards to data protection.”
Jamie Akhtar, CEO and co-founder of CyberSmart, said the incident shows how a single vulnerability in a supply chain can cause widespread damage.
“It’s a stark reminder of the risks posed by third-party suppliers and the supply chain: that even having your own cybersecurity in order is no guarantee of complete protection from breaches,” he argued.
“With this in mind, we urge all businesses to map their supply-chain dependencies. The goal is to have an understanding of your network of suppliers so that cyber risks can be managed and responded to effectively.”
The incident calls to mind the exploitation of zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) product, also linked to FIN11, which led to data compromise at countless customer organizations.