The Number of Companies Affected by Attacks on Vulnerabilities in MOVEit Transfer Increased

vulnerability in MOVEit Transfer

The consequences of exploiting a 0-day vulnerability in MOVEit Transfer’s file transfer management solution continue to spread. The total number of affected companies has already exceeded 100, and Siemens Energy and Schneider Electric are now among the victims who confirmed the compromise.

Let me remind you that it all started with a 0-day vulnerability (CVE-2023-34362) in the MOVEit Transfer file transfer management solution, which was discovered in early June 2023. All versions of MOVEit Transfer were affected by the problem, and it was reported that attacks on them began as early as May 27, 2023.

Attackers used this vulnerability to deploy custom web shells on affected servers, allowing them to list files stored on the server, download files, and steal Azure Blob Storage account credentials and secrets, including the AzureBlobStorageAccount, AzureBlobKey, and AzureBlobContainer settings.

As a result, Microsoft analysts linked the massive attacks to the Clop ransomware hack group (aka Lace Tempest, TA505, FIN11, or DEV-0950). Soon the hackers began to make demands and extort ransoms from the affected companies.

To date, hundreds of companies have been known to have been compromised during the attacks. Over the past weeks, the break-in has been confirmed by many victims. Among them: Zellis, a UK-based payroll and HR solution provider whose customers include Sky, Harrods, Jaguar, Land Rover, Dyson and Credit Suisse. Due to the Zellis hack, the data of the Irish airline Aer Lingus, British Airways, the BBC, and the British pharmacy chain Boots were compromised.

Also leaked data affected the University of Rochester, the government of Nova Scotia, the authorities of the US states of Missouri and Illinois, BORN Ontario, Ofcam, Extreme Networks and the American Therapeutic Society.

This week the list of victims continued to expand. So, representatives of the University of California at Los Angeles (UCLA) reported about the attack and data leakage. Representatives of the educational institution said that they had already notified the FBI about the incident and involved third-party security experts in the case to investigate the attack and understand what data was affected.

Also attacks on a bug in MOVEit Transfer affected Siemens Energy, a Munich-based energy company that employs 91,000 people worldwide. While no data leak has yet taken place at this time, Clop has already listed Siemens Energy as one of the victims on its dark web site, and company representatives have confirmed to the media that they were hacked in recent Clop attacks.

Siemens Energy emphasizes that no important data was stolen and the company’s business operations were not affected.

vulnerability in MOVEit Transfer

Together with Siemens Energy, another industrial giant was added to the Clop website – the French Schneider Electric, which is engaged in power engineering and manufactures equipment for the energy sub-complexes of industrial enterprises, civil and residential construction facilities, data centers, and so on.

Schneider Electric said that after the news of the vulnerability in MOVEit Transfer, the company “quickly deployed available tools to protect data and infrastructure.” Currently, the company’s security specialists are investigating the consequences of the incident and Clop’s claims of data theft.

In addition to the listed technology giants, to the list of victims of hackers has recently been added:

  1. the New York City Department of Education, which admitted that Clop stole documents containing confidential information from 45,000 students;
  2. Oregon and Louisiana state authorities, from whom hackers stole data on millions of driver’s licenses.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *