Updated June 6 with details on the RCE vulnerability itself which is not just SQL injection. The attack vector "offers the ability to detonate ransomware right away" say security researchers at Huntress Labs.
The BBC, British Airways and Boots have all confirmed data breaches as a result of an attack on Zellis, a British enterprise payroll provider.
Zellis has fallen victim to exploitation of a zero day (previously unknown) vulnerability in enterprise file transfer software “MOVEit Transfer.”
BA confirmed the association today to Sky News, saying “... we are one of the companies impacted by Zellis's cybersecurity incident which occurred via one of their third-party suppliers called MOVEit."
A URL scan query for exposed MOVEit instances reveals scores of blue chips with MOVEit instances exposed to the public internet. All may have patched rapidly and the finding does emphasise the scale of risk.
The MOVEit vulnerability, CVE-2023-34362 was first disclosed by owner Progress Software on May 31. Attacks appear to have started earlier in May. Automated exploitation of the vulnerability rapidly followed with the same webshell name being dropped in multiple customer environments.
Analysis of the vulnerability this week by Huntress Labs revealed that the initial phase of the attack, SQL injection, opens the door for even further compromise -- specifically, arbitrary code execution: "This means that any unauthenticated adversary could trigger an exploit that instantly deploys ransomware or performs any other malicious action. Malicious code would run under the MOVEit service account user moveitsvc, which is in the local administrators group. The attacker could disable antivirus protections, or achieve any other arbitrary code execution.
The behavior that the industry observed, adding a human2.aspx webshell, is not necessary for attackers to compromise the MOVEit Transfer software. It's "an option" that this specific threat chose to deploy for persistence, but the attack vector offers the ability to detonate ransomware right away. Some have already publicly reported to attackers pivoting to other file names" Hungress said.
Zellis data breach: What happened?
The incident is a textbook case of how software supply chain attacks reverberate downstream and create a positive feedback loop for hackers.
- A software provider finds itself exposed to an exploitable vulnerability. (Sometimes because it did not robustly test its software for common bugs introduced during build processes; here, reportedly* the second severe SQL injection vulnerability in this product recently...)
- Some black hat hacker identifies the vulnerability (perhaps by doing the systematic fuzzing, or checking for such bugs, that the software provider may not have done robustly in its hurry to ship a product.)
- Anyone exposing “instances” of the software in question gets hit; in this case companies like Zellis (several others have been affected.)
- Further downstream, potentially critical information (often involving sensitive PII) is leaked from companies like Zellis' victims that can be used in further attacks including targeted phishing attempts.
Microsoft is attributing the attacks to a threat group it dubs Lace Tempest, known for ransomware operations and running the Clop extortion site.
Charles Carmakal, CTO, Mandiant Consulting - Google Cloud, said: "At this stage it is critical for victim organisations to prepare for potential extortion, publication of stolen data, and victim shaming. It is likely that the threat actor will soon begin to make contact with extortion demands and begin to work through their list of victims. Mandiant’s investigations into prior campaigns from the suspected threat actor show that extortion demands are usually in the 7- or 8-figure range, including a few demands for more than $35 million.
He added: "Any organisation that had the MOVEit web interface exposed to the internet should perform a forensic analysis of the system, irrespective of when the software was patched. There may be further waves of exploitation and data theft, so implement the patch or mitigations. Additionally, subsequent waves may include the deployment of ransomware encryptors. Watch out for scammers too. Some of our clients impacted by the MOVEit exploitation received extortion emails over the weekend. The extortion emails were unrelated to the MOVEit exploitation and were just scams, but organisations could easily confuse them as being authentic."
Zellis data breach: File transfers in the crosshairs
The service is the latest in a string of enterprise-scale file transfer services to be hit. Accelion (CVE-2021-27101); Fortra GoAnywhere (CVE-2023-0669); SolarWinds Serv-U (CVE-2021-35211); IBM Aspera Faspex (CVE-2022-47986) have all been successfully attacked in the past 24 months.
(CISOs may want to take a long, hard look at how they are ensuring the security of such third-party software handing enterprise files.)
Zellis said in its own statement: "A large number of companies around the world have been affected by a zero-day vulnerability in Progress Software's MOVEit Transfer product... a small number of our customers have been impacted by this global issue and we are actively working to support them.
"All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.
"Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring," the company added.
Kingsley Hayes, Head of Data and Privacy Litigation at Keller Postman UK, noted to The Stack in an emailed comment: “When data hacks involving third-parties occur - such as in this latest data breach – there are always questions about who is to blame. It’s a tricky question to answer, especially in this case where there are multiple points of failure.
"Nevertheless, while it was MOVEit that was hacked, employers remain responsible for the security of their employee data. Following the breach, the ICO will likely want to know more about the affected organisations’ security measures, and their relationships with Zellis in regards to data protection.”
*Some debate about the attack path continues among security researchers, although doubtless for not much longer. Progress itself describes it as a SQL injection issue.