Fraud Management & Cybercrime , Governance & Risk Management , Patch Management

Microsoft Attributes MOVEit Transfer Hack to Clop Affiliate

UK Payroll Provider Zellis' MOVEit Hack Affects British Airways, Boots and the BBC
Microsoft Attributes MOVEit Transfer Hack to Clop Affiliate
U.K. flag carrier British Airways informed employees that hackers had accessed data via payroll provider Zellis and the MOVEit vulnerability. (Image: Shutterstock)

Microsoft said an affiliate of the Russian-speaking Clop ransomware-as-a-service gang is behind a rash of attacks exploiting a recently patched vulnerability in Progress Software's managed file transfer product.

See Also: OnDemand | Defining a Detection & Response Strategy

A threat actor began exploiting a critical SQL injection vulnerability in MOVEit Transfer on May 27 and in some cases has taken data within minutes of deploying the web shells. Microsoft said the actor is Lace Tempest, also known as FIN11 or TA505.

Known victims include British payroll provider Zellis, which said eight corporate customers were affected. "All Zellis-owned software is unaffected, and there are no associated incidents or compromises to any other part of our IT estate," a company spokesperson said.

Affected clients include British Airways, the BBC and U.K. drugstore chain Boots.

The U.K. flag carrier said it had been "informed that we are one of the companies impacted by Zellis' cybersecurity incident which occurred via one of their third-party suppliers called MOVEit." Boots said the payroll provider attack affected "some of our team members' personal details. Our provider assured us that immediate steps were taken to disable the server."

The government of Canadian province Nova Scotia disclosed on Sunday that hackers also breached residents' personal information.

Disclosures from U.S. organizations so far are less forthcoming. Threat intelligence analyst Germán Fernández on Saturday said he had discovered at least 57 instances of potential compromise with the human2.aspx backdoor, of which 39 were in the United States. Security researcher Kevin Beaumont said the list of organizations that had their data stolen includes multiple U.S. government and banking organizations. MOVEit customers include multiple state governments. The company's LinkedIn page lists the FBI and major corporations, including JPMorgan Chase Bank and Geico, as customers. None of the three organizations immediately responded to a request for comment.

The New York Department of Financial Services on Thursday reminded financial organizations to report breaches within 72 hours.

"MoveIT Transfer is used across the US Government as a recommended solution and all of them were vulnerable (and in many cases still are as many orgs haven’t patched yet)," Beaumont wrote on Twitter.

Tracked as CVE-2023-34362, the vulnerability prompted the U.S. Cybersecurity and Infrastructure Security Agency on Friday to prioritize application of the Progress Software patch. "An attacker may be able to infer information about the structure and contents of the database in addition to executing SQL statements that alter or delete database elements," the agency said.

In a security advisory published last Wednesday, Progress Software said the critical vulnerability attack started in May and affected all MOVEit Transfer versions. A company spokesperson contacted Information Security Media Group Tuesday to say the company "disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud."*

Cybersecurity researchers using the Shodan search engine found roughly 2,500 instances of the software exposed to the public internet as of the middle of last week (see: Hackers Using MOVEit Flaw to Deploy Web Shells, Steal Data).

Cybersecurity company Mandiant said the attacks appear opportunistic, and the behavior is "consistent with activity that we’ve seen from extortion actors, which means victim organizations could potentially receive ransom emails in the coming days to weeks."

Analysis from multiple firms says the attackers' web shell masquerades as human.aspx, a legitimate MOVEit Transfer component. A common file name for the web shell, which Mandiant dubs Lemurloot, is human2.aspx in the wwwroot folder of the MOVEit Transfer directory.

Mandiant assesses with moderate confidence that FIN11 is based inside the former Soviet Union. Indicators include Russian-language file metadata keyboard layout, as well as its avoidance of targets in countries that made up the former Soviet Union.

In April, the group exploited two vulnerabilities in Australian firm PaperCut's print management software to target multiple organizations. It deployed a malware downloader named TrueBot to inject the Clop ransomware in affected systems (see: Ransomware Hackers Exploit PaperCut Bugs).

The Clop ransomware gang took responsibility for more than 50 attacks earlier this year that exploited a vulnerability in the GoAnywhere file transfer software (see: Clop GoAnywhere Attacks Have Now Hit 130 Organizations).

*Update June 6, 2023 14:23 UTC: Adds statement from Progress Software.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

David Perera

David Perera

Editorial Director, News, ISMG

Perera is editorial director for news at Information Security Media Group. He previously covered privacy and data security for outlets including MLex and Politico.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.