Numerous prominent organizations have reported being affected by the recent MOVEit Transfer zero-day attack, with well-known companies such as BBC, British Airways, and Zellis among the victims. The Cl0p ransomware group has claimed responsibility for the attack. Progress Software alerted its customers on May 31 that its MOVEit Transfer managed file transfer (MFT) software had a critical SQL injection vulnerability, identified as CVE-2023-34362, which could be exploited by an unauthenticated attacker to gain access to databases related to the product. The exploitation of this vulnerability began days prior to the vendor issuing a patch, giving cybercriminals the opportunity to steal data from numerous organizations.
One of the affected companies is UK-based payroll and HR firm Zellis, which acknowledged on Monday that a "small number" of its clients had been impacted. The company stated that its own software was not compromised and there were no indications that any of its other IT systems had been affected. Although Zellis has not revealed the names of the affected clients, several organizations have come forward to admit they were targeted due to their use of Zellis' services. These include British Airways, the BBC, Irish airline Aer Lingus, and UK pharmacy chain Boots.
The BBC has informed its employees that their ID numbers, birth dates, home addresses, and national insurance numbers may have been compromised. British Airways has warned its staff that their bank details may have been stolen by cybercriminals. Additionally, the Canadian province of Nova Scotia has announced that personal information has been breached as a result of the MOVEit attack. The province is currently working to determine the number of affected individuals and the type of data compromised.
Thousands of internet-exposed MOVEit Transfer instances may have been targeted by hackers. Security researcher Kevin Beaumont is aware of over 100 large or prominent organizations that were affected. Microsoft has attributed the attack to the cybercrime group behind the Cl0p ransomware operation, which the company monitors as Lace Tempest. The Cl0p group has confirmed to Reuters journalist Raphael Satter that it was responsible for the attack.
The hackers have suggested that impacted companies will receive ransom demands, and those who refuse to pay will be named on its Tor-based website, where the group leaks stolen data after negotiations fail. However, the hackers claimed that military, government, law enforcement, and healthcare facilities for children will not receive ransom demands, and any data taken from such organizations will be deleted from their systems. Although there is some evidence suggesting that the vulnerability had been known for months, mass exploitation began on May 27, with the attackers likely aiming to take advantage of the Memorial Day weekend to increase their chances of evading detection by security teams. The vulnerability has been exploited to deliver webshells that enable attackers to steal MOVEit user data. This is not the first time the Cl0p ransomware gang has exploited an MFT software zero-day to steal data from numerous organizations. They previously exploited a vulnerability in Fortra's GoAnywhere software to steal data from multiple organizations.