The fallout of the MOVEit Transfer hack via CVE-2023-34362 by the Cl0p gang is expanding, as several UK-based companies have now confirmed that some of their data has been stolen.
Victimized organizations
The confirmed victims so far are Zellis, “UK and Ireland’s leading provider of payroll and HR solutions for large enterprises and public sector organisations,” and, through it (as it handles data belonging to other companies) British Airways, the BBC, Aer Lingus and Boots.
Zellis has many high-profile organizations as customers, but told the BBC that the attackers made off with data from eight of its client firms. It would not reveal which ones, but said that those companies have been notified and that they are, in turn, notifying their staff. Stolen information includes bank account details and personal data such as national insurance numbers.
Caitlin Condon, Senior Manager of Security Research at Rapid7, told Help Net Security that the company has responded to MOVEit Transfer alerts across a wide range of organizations, from small businesses to enterprises with tens of thousands of assets.
“As other intelligence firms have noted, there doesn’t appear to be any particular target vertical or organizational profile. Affected organizations so far have included those in technology, insurance, manufacturing, municipal government, healthcare, and financial services. The amount of data exfiltrated varies case by case, but our services teams have responded to multiple incidents where several dozen gigabytes of data was stolen,” she shared.
The Cl0p gang – which previously used ransomware but has now switched to just grabbing sensitive data and threatening companies to leak it online unless they pay up – has claimed the hack and told BleepingComputer they have already deleted some of the stolen data – namely, that belonging to governments, the military, and children’s hospitals. (Of course, there’s no way to prove those claims conclusively.)
Other criminal groups may follow Cl0p’s lead
As we previously reported, there are fixes and mitigations available for MOVEit Transfer customers, but every organization that had MOVEit Transfer’s web interface exposed on the internet in the last 30 days is likely to find evidence of compromise.
Before cleaning up (removing dropped webshells and related artifacts) and upgrading the software, they should collect logs to see what data was taken.
Updating or mitigating the vulnerability by disabling all HTTP and HTTPs traffic to their MOVEit Transfer environment – as instructed by the software maker – should be done quickly, because other threat groups may start exploiting this particular vulnerability as well.
“This is the third time Cl0p ransomware group have used a zero day in webapps for extortion in three years, btw. In all three cases they were products with security in the branding,” security researcher Kevin Beaumont noted. “In terms of emerging threats, expect more of this while the west appears unable to accept the threat of ransomware groups.”
The question of software security
Wicus Ross, Senior Security Researcher at Orange Cyberdefense, Europe’s largest MSSP, says that it’s not a surprise that software like MOVEit Transfer is targeted as it’s designed to be exposed onto the internet and widely used by organizations located in the US and Europe.
“Around 1,500 servers running the software can currently be identified on Internet. This vulnerability is simple to exploit, so we would expect that many of these servers are already compromised, and many more victims are likely to follow,” he told Help Net Security.
He also pointed out that all software vendors battle security vulnerabilities, but vulnerabilities like this one can have severe consequences, which may be unfairly borne by the victims who use the software.
“Writing secure software can inflate costs for a vendor, which may disadvantage it in the market, so shortcuts are often taken. This is how ‘security debt’ is accrued and passed on down the software supply chain. Any time a vendor makes a deliberate security compromise, or honest security mistake, the victims of a resulting cybersecurity incident will have to absorb the costs. This repeating pattern is causing growing frustration for businesses and security professionals,” he added.
“Software users may have to realise that the cost of good software is much higher than we’re used to, but at the same time many argue that vendors should be held accountable for cyber incidents related to defects in their products. This is of course a slippery slope as, this type of security through compliance and regulation is subject to gamification and abuse. Thus, it has also been proposed that some form of indemnification against civil law suits could be used as an incentive for vendors that subscribe to good software development practices.
“It is clear that reducing these kids of vulnerabilities and mitigating the impact they cause will require real political will and industry collaboration to ensure all benefit from products that are designed from the ground up with solid security principals.”