The BBC, British Airways and the government of Nova Scotia are confirmed victims
Security researchers have linked a new wave of mass hacks targeting a popular file transfer tool to the infamous Clop ransomware gang, as the first victims of the attacks began to emerge.
Last week it was revealed that hackers are exploiting a newly discovered vulnerability in MOVEit Transfer, a file transfer tool widely used by businesses to share large files over the Internet. The vulnerability could allow hackers to gain unauthorized access to the database of an affected MOVEit server. Progress Software, which develops the MOVEit software has already released some patches.
The first victims of the attacks began to report themselves over the weekend.
Zellis, a UK-based maker of human resources software and payroll, confirmed to businessroundups.org that its MOVEit system had been compromised, with the incident affecting a “small number” of its corporate customers.
One of those clients is British aviation giant British Airways, which told businessroundups.org that the breach included the payroll data of all its UK-based employees.
“We have learned that we are one of the companies affected by the Zellis cybersecurity incident that occurred through one of their third-party vendors called MOVEit,” British Airways spokesman Jason Turnnidge-Betts told businessroundups.org. “Zellis provides payroll support services to hundreds of UK businesses, of which we are one. We have notified colleagues whose personal information has been compromised to provide support and advice.”
British Airways has not confirmed how many employees are affected, but currently has around 35,000 employees worldwide.
The British BBC also confirmed that it was affected by the Zellis incident. A BBC spokesperson, who declined to give their names, told businessroundups.org: “We are aware of a data breach at our third-party supplier, Zellis, and are working closely with them as they urgently investigate the scope of the breach. We take data security very seriously and follow established reporting procedures.”
The Nova Scotia government, which uses MOVEit to share files between departments, said in a statement that the personal information of some citizens may have been compromised. The Nova Scotia government said it has taken the affected system offline and is trying to determine “exactly what information was stolen and how many people were affected.”
It was initially unclear who was behind this new wave of hacks, but Microsoft security researchers attribute the cyberattacks to a group tracked as “Lace Tempest.” This gang is a known subsidiary of the Russia-linked Clop ransomware group, which has previously been linked to mass attacks exploiting flaws in Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer application.
Microsoft researchers said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration.
Mandiant does not yet make the same attribution as Microsoft, but mentions in a blog post over the weekend that there are “remarkable” similarities between a newly created threat cluster it calls UNC4857 that has “unknown motivations” so far, and FIN11, an established ransomware group known to use the Clop ransomware. “Ongoing analysis of emerging business can provide additional insights,” Mandiant said.
Charles Carmakal, chief technology officer at Mandiant, confirmed to businessroundups.org last week that the company had seen “evidence of data exfiltration across multiple victims.”
It is likely that many more victims of the MOVEit breach will come to light in the coming days.
Shodan, a search engine for publicly accessible devices and databases, showed that there were more than 2,500 MOVEit Transfer servers on the Internet.