The discovery of a critical zero-day flaw in Progress Software’s MoveIt Transfer product has led to a recent wave of cyber attacks against organizations worldwide. HR software provider Zellis and the government of Nova Scotia, Canada have both suffered from breaches as a result of the vulnerability.
The flaw, an SQL injection bug, was made public knowledge by Progress on May 31, prompting the software company to urge its customers to immediately apply mitigations against the vulnerability. The company had already noticed attacks against the software, and a patch was issued later that day. However, security vendors such as Rapid7 still found that the flaw was under active exploitation in the wild.
Microsoft also recently published new research attributing the attacks to a group it dubbed “Lace Tempest,” which was linked to the Clop ransomware gang. Multiple organizations have confirmed data breaches that have occurred as a result of the vulnerability, either via the flaw directly or downstream.
U.K.-based Zellis released a press statement indicating that “a small number of our customers have been impacted by this global issue.” The statement detailed the company’s immediate action of disconnecting the server that uses MoveIt software and of employing an external security incident response team to assist with forensic analysis and ongoing monitoring.
The attacks have also affected a number of other organizations, including the BBC, British Airways, and British retailer Boots. British Airways confirmed to TechTarget sister publication ComputerWeekly that its breach began downstream from Zellis’.
In Canada, the government of Nova Scotia confirmed an attack tied to MoveIt Transfer on June 8, and estimated that the personal data of as many as 100,000 past and present public employees may have been compromised as a result of its breach. “So far, the provincial investigation indicates that social insurance numbers, addresses, and banking information were stolen. The amount and type of information depends on the employer. This information was shared through the MoveIt file transfer service because this service is used to transfer employee payroll information,” the press release read.
Another institution affected was the New York-based University of Rochester, which disclosed a breach on June 2. It referred to the origin of the attack as “a software vulnerability in a product provided by a third-party file transfer company” that “has affected the University and approximately 2,500 organizations worldwide.” The investigation is ongoing and the full scope of the breach remains unknown.
Clop ransomware gang has threatened to post victims’ names to the site if those organizations do not contact the gang by June 14. The gang has said it will begin publishing victims’ data after seven days if no payment is made.
The attacks have brought into focus the potential vulnerability of MFT products that house confidential information and data. While Progress Software has issued a patch for the flaw, organizations that use MFT products should be mindful of the potential vulnerabilities that these products pose, and should take proactive steps to beef up their cybersecurity in case of any future threats.
Alexander Culafi, a writer, journalist, and podcaster based in Boston, has suggested that such proactive steps should include conducting regular security assessments and carrying out threat modeling exercises that focus on identifying vulnerabilities from an attacker’s perspective. These measures, along with proper access management and the implementation of security best practices such as those outlined in the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, can help organizations protect themselves from future cyber attacks.