Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

PwC swept up in MOVEit hack

The under-fire professional services provider is the latest victim of the MOVEit Transfer exploitation, just days after the US government warned that a number of federal departments were swept up in the hack.

user icon
Mon, 19 Jun 2023
PwC swept up in MOVEit hack
expand image

The attack, which targeted third-party secure file transfer software MOVEit, saw hackers gain unauthorised access to the software’s database before exfiltrating secure information.

According to a company spokesperson, only a limited number of PwC clients were impacted by the breach who have been notified that their files were “impacted”.

PwC’s internal IT network was not compromised in the breach.

============
============

“We are aware that MOVEit, a third-party transfer platform, has experienced a cyber security incident [that] has impacted hundreds of organisations, including PwC. PwC uses the software with a limited number of client engagements,” a statement from the company read.

“As soon as we learned of this incident, we stopped using the platform and started our own investigation.”

What is the MOVEit hack?

In late May, Progress Software announced that the company had detected a vulnerability in its secure file transfer software MOVEit Transfer.

“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorised access to the environment,” the company outlined.

“All MOVEit Transfer versions are affected by this vulnerability.”

Just days later, Microsoft attributed the attack to Russia’s Lace Tempest cyber gang, also known as the Clop gang.

The nature of the hack allows Clop to “authenticate as any user”, enabling criminal actors to operate with the highest possible privileges and deploying malicious scripts to exfiltrate data.

Just how widespread is the attack?

Progress Software initially confirmed the existence of the MOVEit vulnerability on 31 May, though cyber security researchers at Rapid7 have observed that the initial comprise dates to 27 May, with data exfiltration beginning the following day.

A patch was released 24 hours after the initial announcement.

Rapid7 said it has observed around 2,500 instances of the vulnerable software on the public internet, and while an updated version of the software is now available, Progress recommends that users of MOVEit Transfer update their firewall rules, review accounts for unauthorised users, update remote access policies, and enable multifactor authentication.

To date, both government and private users have been identified as victims of the cyber breach.

In mid-June, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) announced that a number of government departments, including the Department of Energy, had records compromised as part of the file-sharing service attack.

No other agencies have been named specifically, but a spokesperson for CISA said that the list is small and does not include any military or intelligence agencies.

Alongside the US government, organisations such as the BBC and British Airways have also fallen victim to Clop’s attack on MOVEit and have received extortion demands via the threat group’s dark web leak site.

“Clop is one of top organization offer penetration testing service after the fact,” Clop’s ransom notice read, written in broken English.

“This is announcement to educate companies who use progress MOVE1t [sic] product that chance is that we download alot of your data as part of exception, exploit we are the only one who perform such attack and relax because your data is safe.”

“You have 3 day to discuss price and if no agreement you custom page will be created … after 7 days all you data will start to be publication,” the note read.

“You chat will close after 10 not productive day and data will be publish.”

Both the FBI and CISA have released a range of advisories on the vulnerability and how to mitigate against it. Here are the key actions to take:

  • Perform an inventory of assets and data, as well as any unauthorised devices.
  • Grant admin privileges only where needed; establish an allowed software list.
  • Monitor network ports and protocols; activate security configurations on network infrastructure devices.
  • Patch and update software regularly; conduct regular vulnerability assessments.

“FBI and CISA encourage organisations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Clop ransomware and other ransomware incidents,” the CISA advisory read.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.