MOVEit breach highlights risks from supply chain exposure

05 July 2023

British Airways (BA), the BBC, Boots, and thousands of other major organisations have had personal data and bank details compromised following the exploitation of a zero-day flaw in file transfer system MOVEit.

Zellis provides HR and payroll services to clients in the UK and abroad, including the BBC, BA, Boots, and the NHS. Through Zellis’ use of third-party software MOVEit, hundreds of UK businesses now face the horrifying prospect of having private data held to ransom.

Following the first reports of a zero-day vulnerability on 31 May, Zellis took swift remedial action in isolating the server hosting the MOVEit software, engaging an incident response team, and notifying those affected and the authorities.

Cybersixgill observed activity on underground sources related to the MOVEit flaw and interest in the data stolen in related attacks, reports Delilah Schwartz, security strategist, Cybersixgill.

“This activity includes posts on multiple Russian cybercrime forums seeking the data from Zellis-related victims of the MOVEit attacks. In the posts Cybersixgill collected from a forum member, they expressed an interest in a wide range of cybercriminal activity, including ransomware, carding, bots, SIM card swaps, stolen databases, remote access trojans (RATs), and information stealers,” says Schwartz. “In one of the posts from a top dark web forum, a member specifically requested data from UK-based victims of MOVEit attacks, offering up to $100,000 for the requested content…”

The BBC has warned employees of stolen data including staff ID numbers, home addresses, NI numbers and dates of birth, while other companies have warned of bank details being compromised.

“This attack looks like a case of triple extortion, whereby the attacker targets both the company whose data they have as well as its customers warning them of data exposure until payment is made,” outlines Alon Schwartz, cyber security researcher, Logpoint.

Russian cybercriminals behind the Clop ransomware have claimed responsibility for the attack and are now contacting the affected companies to negotiate ransoms.

“It’s important to note the possibility of the use of stolen data in further social engineering attacks. BA, for example, noted payment information of its employees was stolen, but organisations should expect the bulk of data to be ransomed or uploaded to a leak site,” says Timothy West, head of threat intelligence, WithSecure. “It’s yet another reminder of the risks posed through supply chain exposure.”

All software vendors battle security vulnerabilities, but vulnerabilities like this one can have severe consequences, which may be unfairly borne by the victims who use the software, explains Wicus Ross, senior security researcher at Orange Cyberdefense.

“Writing secure software can inflate costs for a vendor, which may disadvantage it in the market, so shortcuts are often taken,” says Ross. “This is how ‘security debt’ is accrued and passed on down the software supply chain. Any time a vendor makes a deliberate security compromise, or honest security mistake, the victims of a resulting cybersecurity incident will have to absorb the costs.”

Interestingly, Clop hackers now claim that they do not have data from the BBC, BA, or Boots.

“We don’t have that data and we told Zellis about it. We just don’t have it. We are an old group and have never deceived anyone, if we say that we do not have information, then we do not have it,” said the hackers in an exchange with the BBC.

This raises an intriguing question: is Clop lying, or has another unknown hacking organisation stolen the data before or during the breach?