Oil and gas giant Shell has become a victim of the Clop ransomware attack, which exploits a zero-day vulnerability in the MOVEit software. The vulnerability, identified as CVE-2023-34362, is being actively exploited by threat actors to steal data from organizations around the world. Shell is currently investigating the security breach and has stated that the attack has not affected its core IT systems.
Shell US spokesperson Anna Arata said in a statement, "We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers." She added, "There is no evidence of impact to Shell’s core IT systems." Arata also mentioned that their IT teams are working to understand and manage any risks and take appropriate action.
The Clop ransomware gang claims to have hacked hundreds of companies by exploiting the CVE-2023-34362 vulnerability. Researchers from Kroll discovered that the Clop gang had been searching for a zero-day exploit in the MOVEit software since 2021. As of now, the ransomware group has added 27 companies to its list of victims on its dark web leak site, claiming to have compromised them by exploiting the zero-day vulnerability.
The group published a message on its leak site addressing the theft of data from government agencies reported by some media outlets: "WE GOT A LOT OF EMAILS ABOUT GOVERNMENT DATA, WE DON’T HAVE ANY GOVERNMENT DATA AND ANYTHING DIRECTLY RESIDING ON EXPOSED AND BAD PROTECTED NOT ENCRYPTED FILE TRANSFER WE STILL DO THE POLITE THING AND DELETE ALL. ALL MEDIA SPEAKING ABOUT THIS ARE DO WHAT ALWAYS THEY DO. PROVIDE LITTLE TRUTH IN A BIG LIE. WE ALSO WANT TO REMIND ALL COMPANY THAT IF YOU PUT DATA ON INTERNET WHERE DATA IS NOT PROTECT DO NOT BLAME US FOR PENETRATION TESTING SERVICE. WE ARE ONLY FINANCIAL MOTIVATED AND DO NOT CARE ANYTHING ABOUT POLITICS."
By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States. At this time, the number of installs located in the UK is 127. UK's communications regulator Ofcom is another victim of the ongoing ransomware campaign conducted by the Clop group.
In a recent data breach, payroll services provider Zellis was hacked, affecting companies like the BBC, British Airways, Boots, and Aer Lingus. The instance of MOVEit Transfer managed by Zellis was used by the company to exchange files with several other companies, indicating that the number of impacted firms could be significant. Personal data of employees at the BBC and British Airways has been compromised and exposed as a result of the cyber attack on Zellis. Boots and Aer Lingus also confirmed being impacted by the attack.
In March 2021, Shell disclosed another data breach resulting from the compromise of an Accellion File Transfer Appliance (FTA) used by the company.