Days after the U.S. Cybersecurity and Infrastructure Security Agency warned that a critical vulnerability in Progress Software Corp.’s MOVEit file transfer software was actively being exploited, the Clop ransomware gang claims to have used the vulnerability to target various organizations worldwide.

The BBC, itself a victim of the attack, reported today that the Clop group posted a notice on its dark web site warning firms affected by the MOVEit hack to email them before June 14 or stolen data will be published. The report says more than 100,000 staff at the BBC, British Airways Plc and the pharmacy chain Boots UK Ltd. may have had payroll data stolen.

The commonality between them is that they use a company called Zellis UK Ltd. for payroll and it was Zellis that was compromised, as opposed to the companies directly.

“This is announcement to educate companies who use Progress MOVEit product that chance is that we download a lot of your data as part of exceptional exploit,” a  post purportedly by Clop stated. SiliconANGLE could not confirm the message because Clop’s dark website was down at the time of writing. The reported message went on to urge victims to email the group to begin negotiations for payment for the nondisclosure of stolen data.

MOVEit is managed file transfer software designed to provide secure and compliant file transfers for sensitive data within and between organizations. It can automate complex workflows, manage and view all file transfer activities in real time, and ensure reliable and predictable file transfer. It supports secure protocols, including FTPS, HTTPS and SFTP, and offers encryption at rest and in transit.

The software’s vulnerability, officially designated CVE-2023-34362, allows an unauthenticated, remote attacker to send a specially crafted SQL injection to a vulnerable MOVEit Transfer instance. Successful exploitation gives an attacker access to the underlying MOVEit Transfer instance. Depending on the specific database engine in use, the attacker can infer information about the structure and contents of the database, leading to data exfiltration.

“This attack is a grim reminder of the sheer value of data in the hands of malicious actors,” Javvad Malik, lead security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “Cybercriminals know organizations cannot afford to lose critical data, causing undue pressure to pay large ransoms.”

Malik noted that the Clop attack highlights the crushing effect of data breaches on modern organizations. “Organizations must implement robust security measures that include multi-layered cybersecurity defenses, employee cybersecurity awareness training and a tested incident response plan,” he said. “The key message remains clear: We must prioritize our data and adequately invest in its protection.”

Photo: Dennis HKG/Wikimedia Commons