Elnur - stock.adobe.com
The deadline set by the Clop cyber crime gang for victims whose data was exfiltrated in a mass breach of Progress Software’s MOVEit Transfer tool to contact the criminals to negotiate a ransom passes today (14 June).
The gang has hit multiple users of the MOVEit managed file transfer product via a SQL injection vulnerability since the end of May, stealing personal data on hundreds of thousands of people, a great many of them in the UK. It has not known to have executed its ransomware locker in any of the publicly disclosed cases, but is instead intending to extort money from them in order not to publish the stolen data.
Known victims in the UK include the BBC, Boots, British Airways, EY and Ofcom. Many of these organisations have been targeted through third-party IT suppliers and other contractors, notably HR and payroll software supplier Zellis. Extreme Networks is also known to have been targeted, but has otherwise maintained its silence. Multiple other victims have been reported in Canada, Ireland, Malaysia and the US.
At the time of writing, no data had yet been published, and SonicWall EMEA vice-president Spencer Starkey urged victims to hold the line in the face of the gang’s threats and grandstanding.
“As the clock ticks closer, businesses impacted by the MOVEit hack may be tempted to pay off the hackers and move on. While this appears as the fastest way to resolve this, in fact, it actually feeds the monster, encouraging more attacks,” said Starkey.
“On the other hand, not paying might lead to potential data loss and the cost of restoring systems, but it also helps starve these criminal operations and may discourage future attacks.
“At this stage, the key is customer and employee communication. The companies impacted must always strive to keep those channels flowing both ways, to reassure those who may be affected that they are doing everything possible to recover from and resolve the incident,” he said.
Alex Hinchcliffe, a threat intelligence analyst at Palo Alto Networks’ Unit 42, said it was likely that Clop would follow through on its threats if its victims do not cooperate.
“Having tracked this group since 2021, we know they are extremely aggressive. When victims don’t pay the ransom or ignore threats, their confidential data is publicly exposed. The threat actors behind Clop also leverage a variety of extortion techniques, such as targeting workstations of top executives, doxxing employees and advertising their breaches to reporters,” he said.
“While the number of exposed servers appears low, the current tally of prestigious victims confirms how this group has graduated from ransomware delivered through malicious spam to being used in targeted campaigns against high-profile organisations.”
Attacks highlight SQL injection risk
Security suppliers say SQL injection flaws, like the zero-day vulnerability recently disclosed by Progress Software, can be challenging for companies to identify and resolve. TechTarget’s SearchSecurity investigates.
The roster of UK organisations that have suffered data breaches in the wake of the MOVEit incident is continuing to grow, with Transport for London (TfL) confirmed as a victim.
The organisation, which runs bus and tube services across the capital, said it was compromised via a contractor who used the MOVEit software – although it has previously counted itself among Progress’ customers.
A TfL spokesperson told the BBC: “The issue has been fixed and the IT systems have been secured. The data in question did not include banking details and we are writing to all of those involved to make them aware of the incident.”
Those being notified comprise approximately 13,000 drivers whose data was held by the undisclosed contractor in a database of information on people who had paid either London’s Congestion Charge, or to operate an older, more polluting vehicle within the Ultra Low Emission Zone (ULEZ) – an area bounded by the North and South Circular roads.
TfL additionally said that no data on any of its passengers – who make approximately 2.5 billion trips every year – had been compromised.
MOVEit cyber attack timeline
- 31 May: Rapid7 observed exploitation of a SQL injection vulnerability in Progress Software’s managed file transfer product.
- 5 June: Microsoft said the recently disclosed zero-day flaw in Progress Software’s managed file transfer product is being exploited by threat actors connected to the Clop ransomware gang.
- 6 June: The BBC, Boots and British Airways are among the victims of cyber incidents arising from a recently disclosed vulnerability in the MOVEit file transfer product, exploitation of which is spreading fast.
- 7 June: The Clop cyber extortion and ransomware operation is demanding organisations pay a ransom to avoid data stolen via an exploited vulnerability in a file transfer product being leaked.
- 8 June: The Clop cyber extortion gang may have been keeping the MOVEit SQL injection vulnerability they used to penetrate the systems of multiple victims secret for two years.
- 9 June: Network equipment and services supplier Extreme Networks revealed its instance of Progress Software’s MOVEit tool was compromised in the ongoing Clop cyber attack.
- 9 June: Progress Software released a patch for a second MOVEit Transfer issue, which was uncovered by third-party security specialist Huntress Security during post-incident code scanning.
- 12 June: Communications regulator Ofcom said data on employees and regulated communications companies was stolen by the Clop gang.