MOVEit is a piece of software which runs either in the cloud or on premises that provides a secure means to share sensitive information and is fully auditable. This software has a vulnerability which is being exploited and has led to some well known organizations being compromised. Some of these organizations include BBC, British Airways, Boots and Aer Lingus which have been affected by this hack.
The staff at these companies, have been alerted that sensitive personal information such as National Insurance numbers and possibly bank details could have possibly been stolen.
Cyber criminals broke into MOVEit in order to attack and gain access multiple companies at once. At this time there are no reports of a ransom being demanded or money being stolen.
Zellis, a UK payroll service provider, was affected by this compromise and said data from 8 of its clients had been taken. At this time the names are not being revealed but warning to client staff are being issued.
BBC sent an email to their staff informing them that some of the stolen data includes Staff ID Numbers, Birth dates, home addresses and National insurance numbers.
British Airways employees have been alerted that some may have had their bank details stolen.
Organizations using the compromised software are being urged to carry out immediate security updates by the UK’s National Cyber Security Centre.
The hack was recently disclosed by Progress Software. They said that hackers managed to break into MOVEit Transfer tool. This software is designed to move sensitive files securely. This software is popular globally but with the majority of its customers in the US.
Customers were alerted by Progress Software as soon as the hack was discovered and a security update was promptly released.
A spokesperson for the firm advised that they are working with police to “combat increasingly sophisticated and persistent cyber criminal intent on maliciously exploiting vulnerabilities in widely used software products.”
The US Cybersecurity & Infrastructure Security Agency (CISA) issued a warning to all firms that use MOVEit, urging them to urgently download and install the security fix to stop any additional breaches.
Kevin Beaumont, a security researcher observed that internet scans still show thousands of corporate databases that could still be vulnerable due to not having installed the security fix for this vulnerability, with a large number of these organizations being rather prominent.
Experts are predicting that Cyber criminals will eventually attempt to extort money from the various breached organizations instead of individuals.
At this time no publicly known ransom demands have been made, but eventually cyber criminals will no doubt start to contact the companies and start demanding payment. They will most likely threaten to publish the data so that other hackers can go through it.
Compromised organizations are reminding their employees to keep an eye out for any suspicious emails that could be the start of further cyber attacks.
Microsoft, even though there is no official attribution, suspects that the criminal group in question have ties to the Cl0p ransomware group suspected to be based in Russia.
In a blog post published by Microsoft, they attribute the attack to Lace tempest. This group is known for ransomware operations and also running the Cl0p extortion website where stolen data gets published. It was also noted that these hackers have used similar techniques in the past to steal data and carry out extortion of victims.
John Shier, who works with the cyber security company Sophos said, and I quote:
“The latest round of attacks is another reminder of the importance of supply chain security.”
“While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well.”
The UK’s National Crime Agency (NCA) had told the BBC in an interview that it was aware that a number of UK based companies had been hit by a cyber incident as a result of an unknown security flaw related to MOVEit Transfer. They added that they are working to provide support to organizations that where affected by this security flaw and working to understand the full impact on the UK.