Microsoft says Clop ransomware gang is behind MOVEit mass-hacks, as first victims come forward

Microsoft says Clop ransomware gang is behind MOVEit mass-hacks, as first victims come forward 1

The BBC, British Airways, and Nova Scotia’s government are confirmed victims

Microsoft says Clop ransomware gang is behind MOVEit mass-hacks, as first victims come forward 2

Security researchers have linked a new wave of mass-hacks targeting a popular file transfer tool to the notorious Clop ransomware gang, as the first victims of the attacks begin to come forward.

It was revealed last week that hackers are exploiting a newly discovered vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to share large files over the internet. The vulnerability allows hackers to gain unauthorized access to an affected MOVEit server’s database. Progress Software, which develops the MOVEit software, has already released some patches.

Over the weekend, the first victims of the attacks began to come forward.

Zellis, a U.K.-based human resources software maker and payroll provider, confirmed to ProWellTech that its MOVEit system was compromised, with the incident affecting a “small number” of its corporate customers.

One of those customers is U.K. airline giant British Airways, which told ProWellTech that the breach included the payroll data of all of its U.K.-based employees.

“We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit,” British Airways spokesperson Jason Turnnidge-Betts told ProWellTech. “Zellis provides payroll support services to hundreds of companies in the U.K., of which we are one. We have notified those colleagues whose personal information has been compromised to provide support and advice.”

British Airways didn’t confirm how many employees are affected, but currently has around 35,000 staff worldwide.

The U.K.’s BBC also confirmed it was affected by the incident affecting Zellis. A BBC spokesperson, who declined to provide their name, told ProWellTech: “We are aware of a data breach at our third party supplier, Zellis, and are working closely with them as they urgently investigate the extent of the breach. We take data security extremely seriously and are following the established reporting procedures.”

The government of Nova Scotia, which uses MOVEit to share files across departments, said in a statement that some citizens’ personal information may have been compromised. The Nova Scotia government said it took its affected system offline, and is working to determine “exactly what information was stolen, and how many people have been impacted.”

It was initially unclear who was behind this new wave of hacks, but Microsoft security researchers are attributing the cyberattacks to a group it tracks as “Lace Tempest.” This gang is a known affiliate of the Russia-linked Clop ransomware group, which was previously linked to mass-attacks exploiting flaws in Fortra’s GoAnywhere file transfer tool and Accellion’s file transfer application.

Microsoft researchers said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration.

Mandiant isn’t yet making the same attribution as Microsoft, but noted in a blog post over the weekend that there are “notable” similarities between a newly created threat cluster it’s calling UNC4857 that has as-of-yet “unknown motivations,” and FIN11, a well-established ransomware group known to operate Clop ransomware. “Ongoing analysis of emerging activity may provide additional insights,” Mandiant said.

Charles Carmakal, chief technology officer at Mandiant, confirmed to ProWellTech last week that the company had “seen evidence of data exfiltration at multiple victims.”

It’s likely many more victims of the MOVEit breach will come to light over the next few days.

Shodan, a search engine for publicly exposed devices and databases, showed that more than 2,500 MOVEit Transfer servers were discoverable on the internet.