UK communications regulator Ofcom has revealed it is among the organisations to have been compromised by the Russian-speaking Clop cyber crime gang following its exploit of a SQL injection vulnerability in Progress Software’s MOVEit Transfer managed file transfer service.
Ofcom confirmed earlier today that a “limited amount” of information about companies it regulates – some of it confidential – alongside the personal data of 412 of its own employees, was downloaded in the attack.
“The security of commercially confidential and sensitive personal information provided to Ofcom is taken extremely seriously,” an Ofcom spokesperson said.
“We took immediate action to prevent further use of the MOVEit service and to implement the recommended security measures. We also swiftly alerted all affected Ofcom-regulated companies, and we continue to offer support and assistance to our colleagues.
“No Ofcom systems were compromised during the attack,” they added.
NordVPN’s Marijus Briedis commented: “Stealing personal and company data from under the nose of the UK’s media regulator will be another feather in the cap of the cyber criminals behind the MOVEit hack.
“The large scale of the attack and high-profile victims like the BBC, British Airways and now Ofcom suggests this was meticulously planned….
Briedis added: “This significant data heist will raise the attackers’ profile within the competitive ransomware-for-hire market that exists on the dark web. It also shows the ongoing risk of supply chain attacks on the UK, with opportunistic hackers looking to prey upon third-party services as a path to landing a big fish further down the line.”
As the clock ticks down on Clop’s deadline for victims to contact it – lest they find their data leaked online – details of more victims continue to emerge.
Ireland’s Health Service Executive (HSE) – previously the victim of a major ransomware attack by the Conti cyber crime syndicate – is among those to have disclosed a breach following the attack.
Like a number of other victims, the HSE was compromised in a so-called supply chain attack via the systems of an external service provider that used MOVEit Transfer, in this case professional services firm EY.
Progress Software’s woes continue
Prior to the weekend, Progress Software, the company behind MOVEit, disclosed another vulnerability in the product, uncovered with the help of third-party researchers, which may have a similar impact.
A patch for this vulnerability was released on 9 June. MOVEit Transfer users can find more details about the vulnerability here.