Organizations big and small are falling prey to the mass exploitation of a critical vulnerability in a widely used file-transfer program. The exploitation started over the Memorial Day holiday—while the critical vulnerability was still a zeroday—and continues now, some nine days later.
As of Monday evening, payroll service Zellis, the Canadian province of Nova Scotia, British Airways, the BBC, and UK retailer Boots were all known to have had data stolen through the attacks, which are fueled by a recently patched vulnerability in MOVEit, a file-transfer provider that offers both cloud and on-premises services. Both Nova Scotia and Zellis had their own instances or cloud services breached. British Airways, the BBC, and Boots were customers of Zellis. All of the hacking activity has been attributed to the Russian-speaking Clop crime syndicate.
Widespread and rather substantial
Despite the relatively small number of confirmed breaches, researchers monitoring the ongoing attacks are describing the exploitation as widespread. They liken the hacks to smash-and-grab robberies, in which a window is broken and thieves grab whatever they can, and warned that the quick-moving heists are hitting banks, government agencies, and other targets in alarmingly high numbers.
“We have a handful of customers that were running MOVEit Transfer open to the Internet, and they were all compromised,” Steven Adair, president of security firm Volexity, wrote in an email. “Other folks we have talked to have seen similar.”
I do not want to categorize our customers at this point since I do not know what all is out there in terms of who is running the software and give them away. With that said, though—it’s both massive and small organizations that have been hit. The cases we have looked into have all involved some level of data exfiltration. The attackers typically grabbed files from the MOVEit servers less than two hours after exploitation and shell access. We believe this was likely widespread and a rather substantial number of MOVEit Transfer servers that were running Internet-facing web services were compromised.
Caitlin Condon, a senior manager of security research who leads the research arm of security firm Rapid7, said normally her team reserves the term “widespread threat” for events involving “many attackers, many targets.” The attacks underway have neither. So far there’s only one known attacker: Clop, a Russian-speaking group that’s among the most prolific and active ransomware actors. And with the Shodan search engine indexing just 2,510 Internet-facing MOVEit instances when the attacks began, it’s fair to say there aren’t “many targets,” relatively speaking.
In this case, however, Rapid7 is making an exception.
“We aren’t seeing commodity threat actors or low-skill attackers throwing exploits here, but the exploitation of available high-value targets globally across a wide range of org sizes, verticals, and geo-locations tips the scale for us on classifying this as a widespread threat,” she explained in a text message.
She noted that Monday was only the third business day since the incident became widely known, and many victims may only now be learning they were compromised. “We expect to see a longer list of victims come out as time goes on, particularly as regulatory requirements for reporting come into play,” she wrote.
Independent researcher Kevin Beaumont, meanwhile, said on social media on Sunday night: “I’ve been tracking this—there are a double-digit number of orgs who had data stolen, that includes multiple US Government and banking orgs.”
The MOVEit vulnerability stems from a security flaw that allows for SQL injection, one of the oldest and most common classes of exploit. Often abbreviated as SQLi, these vulnerabilities usually stem from a failure by a Web application to adequately scrub search queries and other user input of characters that an app might consider a command. By entering specially crafted strings into vulnerable website fields, attackers can trick a Web app into returning confidential data, giving administrative system privileges, or subverting the way the app works.