Share this article on:
The first victims of the hack on popular file transfer utility MOVEit Transfer, reported yesterday (5 June), have begun to surface, as Microsoft Threat Intelligence has pinpointed the threat actor behind the hack.
Microsoft tweeted on 5 June that the Lace Tempest ransomware group was behind the hack, the same group that is otherwise known as the Clop gang if you’re not using Microsoft’s own rather silly nomenclature.
“Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site,” Microsoft tweeted. “The threat actor has used similar vulnerabilities in the past to steal data & extort victims.”
The nature of the hack allows Clop to “authenticate as any user”, allowing the gang’s operators to act with the highest possible privileges. A web shell is then deployed that can exfiltrate data at will.
Clop has a history of taking advantage of weaknesses in software supply chains — it was behind the recent GoAnywhere MFT cloud service hack, which claimed victims all over the world, including Rio Tinto, Meriton, and the Tasmanian government here in Australia.
While the reports of the hack that came in over the weekend only suggested the scale of the hack, organisations have now begun coming forward to share how they’ve been affected.
The Canadian province of Nova Scotia has said that after they were informed of the vulnerability, they took their file-sharing systems offline and installed the necessary update, as directed by MOVEit developer Progress Software. However, it soon became apparent that it was shutting the door after the horse had bolted, and that more work needed to be done.
“Some Nova Scotians’ personal information has been breached as part of a global security issue with a file transfer service called MOVEit,” the provincial government’s Cyber Security and Digital Solutions team said in a statement. “Staff are working to determine exactly what information was stolen, and how many people have been impacted. The province does not have that information yet.”
“Nova Scotians will have questions, and we do, too. Our staff are working hard to figure that out now,” said Colton LeBlanc, Cyber Security and Digital Solutions Minister. “I know this will make some people anxious, at a time when no one needs more anxiety. We will share more information with Nova Scotians as soon as we can.”
British Airways has also announced that its data was compromised, though in its case, it was via the payroll company Zellis, which was a MOVEit customer.
“We have been informed that we are one of the companies impacted by Zellis’s cyber security incident, which occurred via one of their third-party suppliers called MOVEit,” a Zellis spokesperson said in a widely shared statement.
For its part, Zellis has said that only some of its customers have been affected, though it has not named any itself.
“We can confirm that a small number of our customers have been impacted by this global issue, and we are actively working to support them,” Zellis said in its own statement.
Chemist chain Boots and the BBC are believed to be some of Zellis’ affected customers. Progress has recommended that its customers update their software as soon as possible, but that may not be enough, according to Christopher Budd, senior manager of threat research at Sophos.
“Since attacks began before a patch was available, all MOVEit customers should check for signs of compromise beyond those publicly discussed, as attacks could have happened before patching using methods not yet publicly identified,” Budd told Cyber Security Connect via email. “Also, it’s important to note that patching will NOT remove any webshells or other artefacts of compromise. This makes it critical that MOVEit customers include a check for compromise after deploying patches IN ADDITION to deploying patches. Patching alone is NOT sufficient.”
Meanwhile, Clop itself reached out to Bleeping Computer to take credit for the hack, and to share information on its own progress in dealing with its newly acquired data. The gang has not yet begun to extort any of its victims, apparently, and is still going through all the data to confirm exactly what it has purloined.
Once it has established the data’s value, it will begin ransom negotiations, Bleeping Computer reported.
However, Clop has also stated that it will erase and not exploit any data related to the military, government, or children’s hospitals, according to Bleeping Computer.
“I want to tell you right away that the military, children’s hospitals, GOV etc like this we no to attack [sic], and their data was erased,” Clop said in their email to the publication.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.