On June 5, 2023, a representative of a top Russian data theft and ransomware operation confirmed the gang’s role in a series of cyber attacks that began last weekend, exploiting a zero-day1 vulnerability in the MOVEit2 file transfer platform. The gang leveraged the flaw to breach servers and steal data from multiple victims, including UK-based human resources/payroll giant Zellis.3 The attacks appeared timed to coincide with a holiday weekend (Memorial Day in the U.S.), a tactic used by the attackers in the past to catch victims off guard and potentially understaffed.
According to Zellis, only a small number of its customers were impacted by the MOVEit attacks. While the gang did not immediately disclose any of the victims’ names, several high profile organizations that are Zellis clients stepped forward to confirm breaches. Among these victims were major airlines (British Airways and Ireland’s flag carrier Aer Lingus), UK public broadcaster the BBC, and UK-based pharmacy/health/beauty retailer Boots. The stolen data allegedly contains personal information, names, addresses, national insurance numbers, and banking details, among other sensitive content.
Security researchers predict that the MOVEit attacks could be far-reaching based on the over 3,800 related hosts exposed to the internet that were observed running the file transfer software, a popular platform in the financial, government, and education sectors. During the attacks, threat actors dropped customized webshells4 on victims’ servers to download files and steal credentials for configured Azure Blob Storage5 containers.
Researchers noted that exploitation of the MOVEit service is consistent with the gang’s recent modus operandi. First, the operation previously targeted zero-day vulnerabilities related to file transfer platforms. In the beginning of 2023, the gang leveraged the CVE-2023-06696 vulnerability in Fortra’s GoAnywhere MFT7 secure file transfer platform to attack the U.S.-based healthcare provider Community Health Systems8 (CHS), compromising up to a million patients’ records. The gang has also leveraged the Accellion9 file transfer tool to steal data from victims in the energy, financial, retail, and education sectors.
Second, the gang did not appear to encrypt data in the MOVEit attacks, opting instead for a data theft and extortion10 (DTE) approach, a strategy that is replacing traditional ransomware attacks, which may be viewed as a less efficient and more risky way to extract ransoms from victims.11 The gang has previously directly communicated to an open source (OSINT) news site that DTE is now its preferred method of attack.
DIVING DEEPER
Cybersixgill observed activity on underground sources related to the MOVEit flaw and interest in the data stolen in related attacks. This activity includes posts on multiple Russian cybercrime forums seeking the data from Zellis-related victims of the MOVEit attacks.
In the post below from a top dark web forum, a member specifically requested data from UK-based victims of MOVEit attacks, offering up to $100,000 for the requested content. The forum member has a reputation score of 6/10 and specifically referenced Zellis. Without identifying the ultimate goal, the forum member claimed that the data would be used by a team dedicated to leveraging UK-sourced data. The forum member also offered to “process” the data for a percentage of the profits, without elaborating on the services being offered.
Based on a number of characteristics observed by Cybersixgill, the forum member appears to be an experienced threat actor. Their presence on the forum dates back to 2020, with high levels of activity in the past few years. In the posts Cybersixgill collected from the forum member, they expressed an interest in a wide range of cybercriminal activity, including ransomware, carding, bots, sim card swaps, stolen databases, remote access trojans (RATs), and information stealers.
In the post below, the forum member demanded the use of the forum guarantor, which reflects awareness of dark web scammers and fraudsters who prey upon each other. Cybersixgill also observed an identical post from a threat actor with a different name on another popular Russian forum, which suggests that the same individual may be active on multiple dark web forums, using different aliases to avoid being tracked. The existence of interest in the Zellis-related data from the MOVEit breaches mere days after the attacks suggests threat actors may have no problem profiting from the breach, even if victims refuse to pay ransoms.
Figure 1: A forum member seeks data from the Zellis attack
In addition to posts on cybercrime forums, Cybersixgill observed a threat actor on Telegram seeking information about how to exploit the MOVEit zero-day vulnerability. While Cybersixgill had not observed threat actors on the underground spreading a proof-of-concept (PoC) for the vulnerability as of June 6, 2023, news of the massive MOVEit-based data theft campaign is spreading on major OSINT sites, and demand for the PoC will likely increase.
If a PoC eventually emerges on the underground, the results could be disastrous. Indeed, the Telegram channel below has over 3,500 subscribers and hosts robust daily discussions related to popular cybercrime topics. It is likely that interest in the MOVEit PoC will continue to mount as news spreads of the recent wave of Zellis-related attacks.
Figure 2: A threat actor on Telegram seeks information about the MOVEit flaw
TAKEAWAYS
The recent MOVEit attacks on British victims illustrate the dangers posed by flaws such as CVE-2023-34362. While the perpetrators appear to be affiliated with one of the top cybercriminal operations on the underground, a PoC for CVE-2023-34362 could eventually circulate widely, meaning lone wolf and less experienced threat actors could exploit the vulnerabilities in the wild. The recent MOVEit attacks serve as stark reminders that organizations must remain vigilant, safeguarding their digital assets and protecting the privacy of their clients and customers by making sure all software is patched and up to date and monitoring flaws such as CVE-2023-34362.
CVE-2023–34362 is an SQL injection vulnerability in the MOVEit Transfer web application that allows unauthenticated attackers to gain access to databases. The flaw was exploited in the wild in May and June 2023.
MOVEit is a managed file transfer (MFT) platform that protects data during transit with features such as encryption, authentication, access controls, and detailed audit trail. It supports secure protocols such as FTPS, SFTP, HTTPS, and AS2.
Zellis is a global company that provides cloud-based human capital management (HCM) and payroll services, including human resources administration, workforce management, and benefits oversight. Zellis serves the healthcare, manufacturing, retail, and financial industries, in addition to the public sector.
With webshell malware, attackers can remotely access and control compromised web servers. A webshell is typically a small script or program that is uploaded to the server, and provides the attacker with a web-based interface that they can use to interact with the server, to upload and download files for example, execute commands, and perform other actions.
Azure Blob storage is Microsoft's cloud-based object storage platform for unstructured data, which doesn't adhere to a particular data model or definition, such as text or binary data.
Cybersixgill’s CVEs module assigned the flaw its highest critical score (9.74) on February 13, 2023, but it had fallen to 2.33 as of June 6, 2023.
GoAnywhere MFT is a secure file transfer software developed by Fortra.
CHS operates 79 affiliated acute-care hospitals and over 1,000 other medical facilities across the United States.
The Accellion file transfer tool provides a secure environment for file sharing and collaboration among employees, partners, and customers.
Data theft is the unauthorized access and exfiltration of sensitive information, such as personal data, financial information, and intellectual property, while extortion is the use of threats to force victims to pay ransoms.
Open source reports indicate that almost 70% of ransomware activity now includes some type of DTE tactic.