A wave of cyberattacks expected after file-sharing software breach: thousands of companies at risk
Cybersecurity experts are preparing for a potential wave of ransomware demands following the discovery of a vulnerability in encrypted file-sharing software. Hackers have already exploited this flaw, targeting several high-profile victims, including British Airways and the BBC.
Several companies and a Canadian province said on Monday that they experienced breaches related to the secure file transfer product MOVEit from Progress Software Corp., according to statements from multiple affected organizations. The vulnerability allowed hackers to steal files uploaded by companies to MOVEit, according to Progress.
This vulnerability has triggered security warnings in recent days from the US Department of Homeland Security, the UK’s National Cyber Security Centre, Microsoft Corp., and Mandiant, a subsidiary of Google Cloud owned by Alphabet Inc.
Progress released a patch for the software last week.
“When we discovered the vulnerability, we immediately launched an investigation, notified MOVEit customers about the issue, and provided immediate mitigation measures,” said spokesperson John Eddy in a statement.
Microsoft said that the hackers responsible for attacks on MOVEit servers also operate the Clop ransomware site. Clop is the name of a ransomware strain used against companies and organizations worldwide and sometimes also refers to the hacker group behind it. Hackers linked to this group also steal data and threaten to publish it on their website if a ransom is not paid.
This group primarily targets the healthcare and financial sectors and has existed since February 2019, according to Trend Micro Inc. The same hackers were also responsible for previous breaches of two other secure file transfer products developed by Accellion Inc. and Fortra LLC, according to Allan Liska, a senior intelligence analyst at Recorded Future Inc.
Public data sources indicate that there are thousands of vulnerable MOVEit servers that may have been affected by the software flaw, Liska said. Criminal hackers are expected to begin contacting companies and demanding payment in cryptocurrency in exchange for not publishing stolen data online.
A search of publicly accessible MOVEit servers conducted by Bloomberg News shows that users include law firms, healthcare organizations, and IT companies.
A representative of the ransomware group told Bloomberg News in an email that they had deleted data stolen from “military, government organizations, children’s hospitals, and police.” The claim could not be independently verified.
When asked how many companies had been compromised, the representative replied: “You will know them all if they refuse to pay — they will appear on our blog.”
Charles Carmakal, Chief Technology Officer at Mandiant, said the first observed exploitation of MOVEit occurred on May 27.
“We expect ransom demands to begin at any time within the next four weeks,” he said. “The threat actors have a large volume of data to review. Once extortion begins, it will likely continue for several months.”
British Airways, the Boots pharmacy chain, and the BBC informed thousands of employees that their personal information may have been compromised as a result of a cyberattack on their HR services provider Zellis.
In a statement, Zellis said that “several clients” were affected. “As soon as we became aware of the incident, we immediately took action by disconnecting the server using MOVEit software and engaged an expert external incident response team to assist with forensic investigation and continuous monitoring,” the statement said. British Airways stated that the incident occurred “due to a new and previously unknown vulnerability in the widely used MOVEit file transfer tool.”
The government of Nova Scotia said it is investigating the theft of personal information related to the MOVEit vulnerability. “The government is working to determine what information was stolen and how many people were affected,” the statement said.
At British Airways, the breach exposed employees’ personal information, including names, surnames, dates of birth, and possibly banking details, according to a company spokesperson. The airline employs around 35,000 people.
Boots, which has more than 50,000 employees, said that employee personal information was affected. The server was taken offline, and employees were informed, according to a spokesperson for Boots, owned by Walgreens Boots Alliance Inc.
The BBC confirmed it was affected by the attack on Zellis. A spokesperson said they are urgently working to determine the extent of the data breach.
“This is a typical case of a supply chain attack targeting multiple companies holding highly sensitive employee information,” said Jake Moore, a UK-based cybersecurity expert and global advisor at cybersecurity firm ESET. “The proposed security patch is absolutely critical and must be installed by all affected companies to ensure protection.”
Source: Bloomberg