{"id":92387,"date":"2023-06-06T05:30:00","date_gmt":"2023-06-06T05:30:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=92387"},"modified":"2023-06-06T05:30:00","modified_gmt":"2023-06-06T05:30:00","slug":"victims-of-moveit-sql-injection-zero-day-mount-up","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92387","title":{"rendered":"Victims of MOVEit SQL injection zero-day mount up"},"content":{"rendered":"
<\/div>\n

Multiple organisations are now coming forward to disclose that they have been affected by cyber attacks originating via a recently disclosed vulnerability<\/a> in Progress Software\u2019s MOVEit file transfer product, which is being widely exploited, including by ransomware operators.<\/p>\n

In the past 24 hours, organisations including the BBC, Boots and British Airways (BA) have all confirmed they have been impacted, with the BBC telling staff that ID numbers, dates of birth, home addresses and National Insurance numbers were compromised in the incident. BA staff have also been told their banking details may have been stolen.<\/p>\n

In the case of BA and others, the incident began via the systems of Zellis<\/a>, a supplier of IT services for payroll and human resources departments. A Zellis spokesperson confirmed a \u201csmall number\u201d of the organisations customers had been affected.<\/p>\n

\u201cAll Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate,\u201d said the spokesperson.<\/p>\n

\u201cOnce we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,\u201d they added.<\/p>\n

Zellis said it has notified the relevant authorities in both the UK and Ireland, including the Information Commissioner\u2019s Office<\/a> (ICO) and the Irish Data Protection Commission<\/a> (DPC).<\/p>\n

A BA spokesperson said: \u201cWe have been informed that we are one of the companies impacted by Zellis\u2019 cyber security incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.<\/p>\n

\u201cThis incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.\u201d<\/p>\n

BA\u2019s parent, IAG, is understood to be working to support those who may be affected, and it has also reported the incident to the ICO of its own accord.<\/p>\n

A spokesperson for the UK\u2019s National Cyber Security Centre<\/a> (NCSC) said that the agency was closely monitoring the situation.<\/p>\n

\u201cWe are working to fully understand UK impact following reports of a critical vulnerability affecting MOVEit Transfer software being exploited,\u201d they said. \u201cThe NCSC strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates.\u201d<\/p>\n

\n

<\/i>What is MOVEit?<\/h3>\n

The MOVEit managed file transfer (MFT) software product was initially developed and released in the early 2000s by a company called Standard Networks. This firm was subsequently acquired by network software specialist Ipswitch, which was itself bought by Progress in 2019.<\/p>\n

On Wednesday 31 May 2023, Progress announced it had discovered and patched a critical vulnerability<\/a> in MOVEit impacting all users of the MOVEit transfer product.<\/p>\n

Tracked as CVE-2023-34362, the bug is a SQL injection vulnerability that could enable an unauthenticated actor to access the user\u2019s MOVEit Transfer database and \u2013 depending on whether or not they are using MySQL, Microsoft SQL Server or Azure SQL as their database engine \u2013 infer information about the contents of the database, and execute SQL statements that alter or delete elements of it.<\/p>\n

Multiple security firms have been tracking exploitation of CVE-2023-34362 over the past week, including Microsoft, Mandiant and Rapid7.<\/p>\n

Microsoft said it was prepared to attribute attacks exploiting the vulnerability to a threat actor it is now tracking as Lace Tempest<\/a>, a ransomware operator that is best known for running the Clop (aka Cl0p) operation.<\/p>\n

Cl0p is a particularly virulent strain of ransomware and its operators are widely-known to be especially partial to issues affected file transfer processes. Earlier this year, they were behind a spate of attacks that exploited a vulnerability in the Fortra GoAnywhere MFT tool to attack the systems of more than 90 victims<\/a>, including storage and security firm Rubrik<\/a>.<\/p>\n

Mandiant said it had also observed at least one actor associated with Clop seeking partners to work on SQL injection vulnerabilities<\/a>, but that it did not have enough evidence to determine a link between activity associated with the MOVEit vulnerability and the ransomware gang. Its analysts said they expected more victims to begin receiving ransom demands in the coming weeks.<\/p>\n

Rapid7 said that the behaviour it had observed exploiting CVE-2023-34362 was mostly opportunistic rather than targeted<\/a>.<\/p>\n

Its analysts said: \u201cThe uniformity of the artifacts we\u2019re seeing could plausibly be the work of a single threat actor throwing one exploit indiscriminately at exposed targets.\u201d<\/p>\n<\/section>\n

\n

<\/i>Assume breach<\/h3>\n

Darktrace<\/a> head of threat analysis, Toby Lewis, said that although CVE-2023-34362 does not seem to provide sufficient access to directly deploy ransomware, nor allow an attacker to move laterally through the victim\u2019s network, it was still possible for it to be of use to an operator such as Clop.<\/p>\n

\u201cIf sensitive material is being transferred through MOVEit, this exploit can expose enterprises to extortion with the threat of publication of stolen data,\u201d he said.<\/p>\n

\u201cZellis is just one customer of MOVEit and there will likely be other organisations affected that have not yet been disclosed. Zellis will likely have been a victim of opportunistic scanning and exploitation; this may have been occurring across a number of weeks, even though it was only publicly disclosed last week. This incident appears to be limited to data theft from customers of the MOVEit platform,\u201d he said.<\/p>\n

ReliaQuest<\/a> CISO Rick Holland said the incident was still in its early stages and would take some time to play out.<\/p>\n

\u201cThe number of victims in this current campaign remains to be seen, but any organisation that exposed the vulnerable MOVEit solutions to the internet must assume breach,\u201d Holland told Computer Weekly in emailed comments.<\/p>\n

\u201cAs we have seen with other vulnerabilities, there is a feeding frenzy once the vulnerability becomes publicly known; if Clop didn\u2019t compromise MOVEit, other threat actors might have. Organisations that have not received a ransom note shouldn’t assume they are in the clear.<\/p>\n

\u201cThe threat group has likely compromised so many organisations that it may take them time to work through the victim queue,\u201d he added.<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Multiple organisations are now coming forward to disclose that they have been affected by cyber attacks originating via a recently disclosed vulnerability in Progress Software\u2019s MOVEit file transfer product, which is being widely exploited, including by ransomware operators. In the past 24 hours, organisations including the BBC, Boots and British Airways (BA) have all confirmed […]<\/p>\n","protected":false},"author":1,"featured_media":92388,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-92387","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92387","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92387"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92387\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92388"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}