5 min Security

MOVEit attack hits 200+ organisations, but its impact is often unclear

MOVEit attack hits 200+ organisations, but its impact is often unclear

In early June, U.S. security watchdog CISA urged that a zero-day vulnerability in MOVEit be patched as soon as possible. The Progress Software product is used by numerous companies worldwide to send often sensitive files in an encrypted manner. Behind the attacks is the Russia-linked CL0P ransomware gang, which demands millions as ransom from their many victims.

MOVEit is a managed file transfer (MFT) service and popular with banks, corporations, government agencies and other large organizations. The service comes in contact with all kinds of customer data and sensitive employee data.

The MOVEit vulnerability is known as CVE-2023-34362 among cyber experts. This exploit allows a malicious actor to perform an SQL injection within the software, allowing that actor to escalate his or her privileges and siphon off data. As so often, it is a matter of moving laterally within a network once a vulnerability is exploited to really do major damage. Yet the data known to MOVEit about a user can already be valuable to hackers. On May 31 of this year, Progress announced to customers that there was this threat, after which there was increasing clarity about the nature of the cyber incident.

The active exploitation of MOVEit was claimed by the CL0P ransomware gang, which revealed to numerous parties that it had captured or deleted sensitive data. Sometimes it involved a direct attack, but in many cases via-via. For example, the BBC and airlines Aer Lingus and British Airways used payroll software Zellis. This party in turn deployed MOVEit for its own platform. Once again, it appears that you can almost never be completely sure how your software stack might be affected.

CL0P seems to have targeted mainly government agencies and critical infrastructure such as banks and energy companies. It has targeted Deutsche Bank, Schneider Electric and American universities (such as UCLA and Washington State University), for example. However, there was also variety with the inclusion of PBI Research and Radisson Hotels America, among others.

Initial contact

One early case of a MOVEit-affected data breach occurred in the Dutch company Landal GreenParks. It announced it had been hit by the MOVEit vulnerability with the theft of data from 12,000 customers that had fallen into the wrong hands. According to Landal, no financial data, reservation information or passwords were involved. However, the leakage of names and e-mail addresses does create an increased phishing risk.

Since MOVEit’s announcement, several other victims have come under scrutiny. TomTom, Shell and ING have been exposed to an attack by CL0P since early June. According to the former, it involved leaks that should have no “negative material impact on TomTom or its customers.” The company provides no further information on exactly what was hacked.

Shell has some help to offer in that regard, although it says there is no evidence of damage to Shell’s IT systems. The oil giant does let it be known on its own website that BG Group employees may have had their data on the street, but it is succinct about that. Customers who are unsure about their level of risk can call toll-free at various telephone numbers depending on the location.

On July 11, it was also announced that cybercriminals got into ING. The Dutch multinational noted that it involved thousands of German customers. It involved customer data that had been transferred to data service provider Majorel. Again, the bank believes its own IT systems had not been affected.

Big impact: an increasing number of data breaches, clarity needed

Without accusing specific parties of covering up data breaches, it is often the case that more becomes known later if there are serious threats to customers. At least 200 organizations are affected, according to threat analyst at Emisoft Brett Callow. This would have involved at least 33 data breaches, he informs TechCrunch. Thus, at least 17.5 million people were affected by the attack so far.

CL0P is a familiar foe of Shell and others, having taken on another file-sharing service called Accellion in 2020, which Shell used at the time. It’s a good thing indeed that at least the oil giant has set up a helpline, but as with other companies, we would prefer more information out in the open. Exactly how much information was available to the hackers? When is an internal investigation ready to report its findings to the outside world? Simply saying there is “no negative material impact” for customers is not enough.

These are sometimes publicly traded companies that are terrified of reputational damage, but mostly we should really expect clear information. This is especially the case with government agencies, which were hit by MOVEit in North America in particular.

For anyone who uses the MOVEit software and has not yet patched: do so as soon as possible. Keeping up with software updates is still crucial to having security in order.

Also read: Hackers claim theft of 30 million Microsoft account logins