MoveIt Transfer flaw leads to wave of data breach disclosures
Organizations that have confirmed a data breach tied to the critical MoveIt flaw disclosed in May include the government of Nova Scotia, the BBC and HR software firm Zellis.
A critical zero-day flaw in Progress Software's MoveIt Transfer product has led to a wave of attacks against organizations such as HR software provider Zellis as well as the government of Nova Scotia, Canada.
The flaw became public knowledge on May 31 when Progress detailed an SQL injection bug, now tracked as CVE-2023-34362, in its managed file transfer (MFT) software MoveIt Transfer. Progress urged customers to immediately apply mitigations for the vulnerability, which was already under attack, while it worked on a patch that was released later that day. Security vendors like Rapid7 reported soon after that the flaw was under active exploitation in the wild. Microsoft on Sunday published new research crediting the attacks to a threat actor it dubbed "Lace Tempest," which was tied to the Clop ransomware gang.
Multiple organizations have now confirmed data breaches that have occurred as a result of the vulnerability, either via the flaw directly or downstream. U.K.-based Zellis said in a press statement on Monday that "a small number of our customers have been impacted by this global issue and we are actively working to support them."
"Once we became aware of this incident we took immediate action, disconnecting the server that utilizes MoveIt software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring," the statement read. "We have also notified the ICO, DPC, and the NCSC in both the UK and Ireland. We employ robust security processes across all of our services and they all continue to run as normal."
The BBC, British Airways (BA) and British retailer Boots have all confirmed attacks resulting from the flaw, and BA confirmed to TechTarget sister publication ComputerWeekly that its breach began downstream from Zellis'.
The government of Nova Scotia, Canada, also confirmed an attack tied to MoveIt Transfer on Tuesday via a press release. The government estimated that the personal data of as many as 100,000 past and present public employees may have been compromised as the result of its breach.
"The Province has determined that the personal information of many employees of Nova Scotia Health, the IWK Health Centre and the public service has been stolen in the MoveIt global cybersecurity breach," the news release read. "So far, the provincial investigation indicates that social insurance numbers, addresses and banking information were stolen. The amount and type of information depends on the employer. This information was shared through the MoveIt file transfer service because this service is used to transfer employee payroll information."
The New York-based University of Rochester disclosed a breach on June 2, though it did not reference MoveIt Transfer by name. It referred to the origin of the attack it suffered as " a software vulnerability in a product provided by a third-party file transfer company" that "has affected the University and approximately 2,500 organizations worldwide."
"At this time, we believe faculty, staff, and students could be impacted, but we do not yet know the full scope of the impact to University community members or which personal data was accessed, as the investigation is ongoing," the breach disclosure read. "We will provide updates as soon as available."
TechTarget Editorial contacted the university to confirm whether the attack was tied to MoveIt Transfer, but the university has not responded at press time.
Clop announced on its data leak site earlier this week that it will begin posting victims' names to the site if those organizations do not contact the ransomware gang by June 14. The gang, which calls itself "one of the top organization(s) [that] offer penetration testing service after the fact," said it will begin publishing victims' data after seven days if a payment is not made.
Strangely, Clop also announced that it erased any data from government agencies, city services or police departments, and that such organizations have no need to contact the ransomware gang. "We have no interest to expose such information," Clop said.
Alexander Culafi is a writer, journalist and podcaster based in Boston.