Sergey Nivens - stock.adobe.com

Victims of MOVEit SQL injection zero-day mount up

The BBC, Boots, and British Airways are among the victims of cyber incidents arising from a recently disclosed vulnerability in the MOVEit file transfer, exploitation of which is spreading fast

Multiple organisations are now coming forward to disclose that they have been affected by cyber attacks originating via a recently disclosed vulnerability in Progress Software’s MOVEit file transfer product, which is being widely exploited, including by ransomware operators.

In the past 24 hours, organisations including the BBC, Boots and British Airways (BA) have all confirmed they have been impacted, with the BBC telling staff that ID numbers, dates of birth, home addresses and National Insurance numbers were compromised in the incident. BA staff have also been told their banking details may have been stolen.

In the case of BA and others, the incident began via the systems of Zellis, a supplier of IT services for payroll and human resources departments. A Zellis spokesperson confirmed a “small number” of the organisations customers had been affected.

“All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate,” said the spokesperson.

“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring,” they added.

Zellis said it has notified the relevant authorities in both the UK and Ireland, including the Information Commissioner’s Office (ICO) and the Irish Data Protection Commission (DPC).

A BA spokesperson said: “We have been informed that we are one of the companies impacted by Zellis’ cyber security incident which occurred via one of their third-party suppliers called MOVEit. Zellis provides payroll support services to hundreds of companies in the UK, of which we are one.

“This incident happened because of a new and previously unknown vulnerability in a widely used MOVEit file transfer tool. We have notified those colleagues whose personal information has been compromised to provide support and advice.”

BA’s parent, IAG, is understood to be working to support those who may be affected, and it has also reported the incident to the ICO of its own accord.

A spokesperson for the UK’s National Cyber Security Centre (NCSC) said that the agency was closely monitoring the situation.

“We are working to fully understand UK impact following reports of a critical vulnerability affecting MOVEit Transfer software being exploited,” they said. “The NCSC strongly encourages organisations to take immediate action by following vendor best practice advice and applying the recommended security updates.”

What is MOVEit?

The MOVEit managed file transfer (MFT) software product was initially developed and released in the early 2000s by a company called Standard Networks. This firm was subsequently acquired by network software specialist Ipswitch, which was itself bought by Progress in 2019.

On Wednesday 31 May 2023, Progress announced it had discovered and patched a critical vulnerability in MOVEit impacting all users of the MOVEit transfer product.

Tracked as CVE-2023-34362, the bug is a SQL injection vulnerability that could enable an unauthenticated actor to access the user’s MOVEit Transfer database and – depending on whether or not they are using MySQL, Microsoft SQL Server or Azure SQL as their database engine – infer information about the contents of the database, and execute SQL statements that alter or delete elements of it.

Multiple security firms have been tracking exploitation of CVE-2023-34362 over the past week, including Microsoft, Mandiant and Rapid7.

Microsoft said it was prepared to attribute attacks exploiting the vulnerability to a threat actor it is now tracking as Lace Tempest, a ransomware operator that is best known for running the Clop (aka Cl0p) operation.

Cl0p is a particularly virulent strain of ransomware and its operators are widely-known to be especially partial to issues affected file transfer processes. Earlier this year, they were behind a spate of attacks that exploited a vulnerability in the Fortra GoAnywhere MFT tool to attack the systems of more than 90 victims, including storage and security firm Rubrik.

Mandiant said it had also observed at least one actor associated with Clop seeking partners to work on SQL injection vulnerabilities, but that it did not have enough evidence to determine a link between activity associated with the MOVEit vulnerability and the ransomware gang. Its analysts said they expected more victims to begin receiving ransom demands in the coming weeks.

Rapid7 said that the behaviour it had observed exploiting CVE-2023-34362 was mostly opportunistic rather than targeted.

Its analysts said: “The uniformity of the artifacts we’re seeing could plausibly be the work of a single threat actor throwing one exploit indiscriminately at exposed targets.”

A spokesperson for MOVEit said: “Our customers have been, and will always be, our top priority. When we discovered the vulnerability, we promptly launched an investigation, alerted MOVEit customers about the issue and provided immediate mitigation steps. We disabled web access to MOVEit Cloud to protect our cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.

“We are continuing to work with industry-leading cyber security experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability. We are also committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cyber criminals intent on maliciously exploiting vulnerabilities in widely used software products. Additional details are available on our knowledge base articles for MOVEit Transfer and MOVEit Cloud.”

Assume breach

Darktrace head of threat analysis, Toby Lewis, said that although CVE-2023-34362 does not seem to provide sufficient access to directly deploy ransomware, nor allow an attacker to move laterally through the victim’s network, it was still possible for it to be of use to an operator such as Clop.

“If sensitive material is being transferred through MOVEit, this exploit can expose enterprises to extortion with the threat of publication of stolen data,” he said.

“Zellis is just one customer of MOVEit and there will likely be other organisations affected that have not yet been disclosed. Zellis will likely have been a victim of opportunistic scanning and exploitation; this may have been occurring across a number of weeks, even though it was only publicly disclosed last week. This incident appears to be limited to data theft from customers of the MOVEit platform,” he said.

ReliaQuest CISO Rick Holland said the incident was still in its early stages and would take some time to play out.

“The number of victims in this current campaign remains to be seen, but any organisation that exposed the vulnerable MOVEit solutions to the internet must assume breach,” Holland told Computer Weekly in emailed comments.

“As we have seen with other vulnerabilities, there is a feeding frenzy once the vulnerability becomes publicly known; if Clop didn’t compromise MOVEit, other threat actors might have. Organisations that have not received a ransom note shouldn't assume they are in the clear.

“The threat group has likely compromised so many organisations that it may take them time to work through the victim queue,” he added.

This article was edited on Wednesday 7 June at 2:20pm to incorporate a statement from MOVEit

Read more about the MOVEit incident

Read more on Data breach incident management and recovery