weerapat1003 - stock.adobe.com

More data stolen in 2023 MOVEit attacks comes to light

Over a year since the infamous MOVEit Transfer cyber attacks affected thousands of organisations, more new victims have come to light after an anonymous threat actor leaked their data on the dark web

Eighteen months after a major cyber incident in which hundreds of organisations were victimised by a ransomware gang that exploited a zero-day SQL injection vulnerability in Progress Software’s MOVEit Transfer file transfer product, multiple new victims have come to light, including tech giant Amazon, which has confirmed that data on more than two million of its employees has been leaked.

CVE-2023-34362 is a critical zero-day SQL injection vulnerability in the MOVEit Transfer tool, which was patched at the end of May 2023, but unfortunately not before the Cl0p/Clop ransomware operation was able to use it to orchestrate a mass breach of organisations worldwide.

Victims in the UK included the BBC, Boots and British Airways – all of which were compromised via payroll and human resources IT specialist Zellis.

This week, researchers at Hudson Rock published details of a major data leak affecting at least 25 organisations, orchestrated by an actor using the handle Nam3L3ss, who posted them to an underground cyber criminal forum in CSV format.

According to Hudson Rock’s Alon Gal, the data includes employee records from major companies including HP, HSBC, Lenovo, Omnicom, Urban Outfitters, British Telecom and McDonalds, but by some margin the biggest tranche of data – a total of over 2.8 million records – has come from Amazon.

Gal said the dataset included contact information and data on organisational roles and departmental assignments within Amazon, which could put employees at risk of social engineering and tailored phishing attacks.

“Hudson Rock researchers were able to verify the authenticity of the data by cross-referencing emails from the leaks to Linkedin profiles of employees, and to emails found in infostealer infections where employees in the affected companies were involved,” wrote Gal.

In a statement circulated to media, Amazon senior PR manager Adam Montgomery confirmed the veracity of the breach.

“We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations,” said Montgomery.

“Amazon and AWS systems remain secure and we have not experienced a security event,” he said.

Amazon did not name the organisation through which it was affected.

Link to Cl0p?

In screenshots of posts made by Nam3Less, shared with Computer Weekly by researchers at Searchlight Cyber, the actor claimed they were neither a hacker nor affiliated with any ransomware group. They also said they did not buy or sell data, rather they monitored the dark web and other exposed services including AWS Buckets, Azure Blobs, MongoDB servers and the like.

“If a company or government agency is stupid enough not to encrypt its data during transfers or if an admin is too stupid or too lazy to password protect their online storage that is on them,” said Nam3L3ss. “The world should know exactly what these companies and government agencies are leaking.”

Nam3L3ss post screenshot
Threat actor Nam3L3ss claims motivation behind data leak is to hold governments and businesses accountable

Whether or not Nam3L3ss has any link to the Cl0p ransomware gang is unclear and has not yet been confirmed. Despite their own assertions, statements made by threat actors should always be treated sceptically. Nam3L3ss could easily be an affiliate or associate of the gang, but it is equally possible that they came by the data via other means.

“The actor Nam3L3ss claims that they are not a hacker and that they are only sharing data that they have downloaded from other sources. As you can see from the statement that they shared on BreachForums on Tuesday November 12 2024, they claim to be motivated not by financial gain, but out of a desire to hold governments and corporations accountable for protecting citizen data,” said Searchlight threat intelligence analyst Vlad Mironescu. 

“One source of data that the actor commonly uses is information that has been posted on ransomware leak sites. For example, a lot of the data Nam3L3ss shares, including this Amazon data, appears to come from victims of the MOVEit attacks from last year, which was orchestrated by the ransomware group Cl0p. Nam3L3ss doesn’t appear to be associated with Cl0p or any ransomware group but is simply resharing the data they have found.”

Mironescu continued: “It is true that the actor is not selling this data, they are posting it for free or for in-forum credits. However, that does not mean there is no damage done; posting the data for free in BreachForums will put it into the hands of a large number of hackers who could use it for a wide variety of nefarious purposes.”

Dark web

Kevin Robertson, chief operating officer at Acumen Cyber, said: “This leak shows how data makes its way across the dark web, often reappearing in the news long after breaches took place and often in the hands of other attackers.

“The MOVEit breach dominated headlines last year after it impacted thousands of organisations and billions of peoples’ data. It was one of the first examples of a global supply chain attack that got so large even its perpetrators, Cl0p, struggled to ingest the volume of data compromised.

“The attack hasn’t had anywhere near the media coverage this year as it received last year, but this latest update shows that attackers are continuing to monetise from the data. Nam3L3ss is not thought to be a part of the initial MOVEit attack, but some of its data has landed in their hands, which provides evidence of how stolen data is marketed across the dark web,” he said.

Read more about the MOVEit incident

  • Progress Software is facing an investigation from the SEC for the breach of its MOVEit tool, as well as dozens of legal battles resulting from the exfiltration of personal data from the roughly 2,000 organisations affected.
  • The MOVEit cyber attacks that unfolded in the spring and summer of 2023 seem to have driven an increase in both ransomware awareness and spend, according to a report.
  • The Clop cyber extortion gang may have been keeping the MOVEit SQL injection vulnerability they used to penetrate the systems of multiple victims secret for two years.

Read more on Data breach incident management and recovery