Yet another supply chain-attack with yet another list of high-profile victims that’s only growing every day. We are talking about the attack on Progress Software’s MOVEit Transfer Tool which is making headlines right now!
The US-based organistaion, Progress Software’s MOVEit tool is used extensively across the world, and especially in the US, to move sensitive files securely. But today, the tool owes its popularity to a hack that’s making news everywhere. The hack came into focus last week when Progress Software announced that the transfer tool was compromised.
The company said it warned customers immediately upon learning of the attack and also released a security update soon after. The US Cybersecurity and Infrastructure Security Agency also reinforced this announcement, reiterating that fits which use MOVEit should download the security patch quickly to avoid further breaches.
But news that’s unravelling now shows that this supply chain attack is likely to be just as widespread as any other. Names of victim organisations who either used the software or had vendors using the software are already impacted.
Cl0p Ransomware group, linked to Russia, has apparently claimed responsibility for the MOVEit attack. Just a few hours ago, news has broken that Cl0p group has given an ultimatum to affected organisations. Apparently, a notice posted on the dark web warns the victim firms to email the gang before 14 June or run the risk of their data being stolen or leaked.
The website, Bleeping Computer, alleges that the threat actor has told them that they’re behind the latest data-theft attacks. The gang has also claimed that it has already deleted some of the stolen MOVEit data that belongs to governments, the military, and children’s hospitals.
Microsoft had earlier said it was attributing the attack to Lace Tempest, known for running the Cl0p extortion website where victim data is published. The organisation is likely to extort money from organisations and not victims, although no ransom demand has officially been made. It is also possible that the criminals would start publishing the stolen data online for other hackers to exploit too.
A zero-day vulnerability, CVE-2023-34362, is apparently what was exploited and allowed hackers unauthorised access to MOVEit Transfer's database. This breach further allowed them to attack servers of multiple companies using the tool and steal their data.
As per several security researchers, Cl0p, which earlier attacked companies through ransomware, has now moved to simply stealing sensitive data and threatening companies to pay up or risk the data being leaked online.
Several news stories indicate the fact that personal data of almost 100,000 may have been affected as a result of the ongoing mass hack.
The U.K.-based company Zellis, which creates software for human resources and payroll services, was significantly affected by a cyber attack. The organisation confirmed that its MOVEit system was compromised.
This, in turn, is affecting a number of its corporate customers. The companies impacted by the Zellis cybersecurity incident include high profile names like the BBC, British Airways, Aer Lingus and Boots.
The BBC has warned staff that the stolen data included staff ID numbers, dates of birth, home addresses and national insurance numbers. In some cases, bank details may have been stolen. British Airways staff, too, have been warned of a possible breach of bank details.
The UK's National Cyber Security Centre said that they are keeping track of the ongoing events. It also reinforced the fact that all organisations using MOVEit must use the security updates immediately to prevent the situation from exacerbating.
The government of the Canadian province of Nova Scotia, which uses MOVEit to transfer files across its departments, is also affected by this incident. It said in a statement that the personal information of some citizens may be in the hands of cyber criminals. It claimed to have taken affected systems offline and said it was working to determine exactly what information was stolen and how many people have been impacted.
The MOVEit data breach is quickly becoming more serious as names of new victims emerge. It could well turn into another huge supply chain attack and probably one of the most massive ones in 2023.
The hack is a classic case of a vendor’s security compromise affecting a large number of its customers. For no apparent reason, the corporate customers will now have to bear costs of the cybersecurity incident - both monetarily and in terms of reputation and customer trust.
However, at this point, there isn’t much that MOVEit customers can do except mitigate the situation by disabling all HTTP and HTTPs traffic to their MOVEit Transfer environment – as instructed by the software maker. All security agencies are also advising MOVEit users to quickly carry out the security updates released to prevent other cyber crime groups from exploiting this particular vulnerability as well.
The secondary impact of the attack is one which individuals affected must be most wary of - where other hackers use the incident to trick them into giving out more details.
Our CEO and Global CISO, Amar Singh, shares some expert advice for the affected organisations of the MOVEit Hack. He advises all businesses to check if they or their supply chain uses the MOVEit tool and deploy security patches with immediate effect. It is also advisable to get the supply chain to legally respond to their usage of MOVEit and what the status of their data is.
Further, it is critical to keep an eye on the news as new names of affected parties emerge. Every organisation that uses or may have used the software in the past much watch their internet-facing servers 'very closely'.
All individuals who may have been affected by the attack, are advised to watch out for any suspicious emails, SMSes or phone calls. Emails asking them to click on links and verify details etc. must be strictly viewed with suspicion and staff members should clarify with IT teams or Incident Response teams before clicking on any links or password reset requests that they don’t trust.
At Cyber Management Alliance, we regularly generate educational content that highlights recent cyber-attacks, ransomware attacks and data breaches. We also compile as much information as is possible on new malware and vulnerabilities discovered and security patches released.
The idea is to keep our readers informed so they can spot any compromise of their vendors/software they use and take the necessary security measures rapidly.
You may want to check out this comprehensive list of cyber attacks, ransomware attacks and data breaches in May 2023. We've also created a blog on some of the most talked of cyber attacks in 2023 so far which you can refer to for a general understanding of the threat landscape and the evolving methodologies of global threat actors.
Do bookmark our site for more such updates. We will also keep our readers updated on other important information on the MOVEit cyber incident as the news unfolds in the public domain.