A deadline of the 14th June has been issued to companies affected by the recent security breach which has been attributed to a previously unknown vulnerability in the Secure file transfer and automation software MOVEit.
The theat actors behind the security breach are named as the Russian gang Clop – A ransomware operator widely-known to be especially partial to targetting file transfer processes.
Earlier this year, Clop were behind a spate of attacks that exploited a vulnerability in the Fortra GoAnywhere MFT tool, but this attack is magnitudes bigger, and has the potential to impact millions of customers worldwide.
Tracked as CVE-2023-34362, the issue relates to a SQL injection vulnerability that could enable an unauthenticated actor to access a user’s MOVEit Transfer database and – depending on whether or not they are using MySQL, Microsoft SQL Server or Azure SQL as their database engine – infer information about the contents of the database, and execute SQL statements that read, alter or delete elements of it.
Unusual notification
Normally, when a ransomware group attacks a victim, they post the news on their dark web site within minutes, but in this case, in an unusual move, the threat actors behind the attack sent an email to Reuters on Monday, revealing themselves as the ones behind the attack, and that victims who refused to pay a ransom would be named and shamed on the group’s website.
This could be due to the fact that the attack has the potential to affect a large number of organisations, and it is easier for the threat actors to say that if someone uses the MOVEit software, consider themselves to be breached and to contact the gang for advice on how to proceed.
Any organisation that had the MOVEit web interface exposed to the internet should perform a forensic analysis of their system, irrespective of when the software was patched.
The main attack targeted the payroll operator Zellis, but due to the fact that they operate the financials for many other companies, this has the potential to impact many other organisations.
Some of the known affected organisations are British Airways, The BBC, Boots, and Air Lingus. Other customers of Zellis include some very large companies such as Jaguar Landrover, Harrods, and Dyson, although it is not yet known if they have been affected by this breach.
The information believed to be compromised differs between affected companies, but includes Names, Addresses, National Insurance data, Financial data, Staff ID numbers, email addresses, and Birth dates.
This is another example of a supply-chain attack with far reaching consequences – much like the ongoing saga with Capita.