The first of what is expected to become a long list of organizations have confirmed they had data stolen through an attack on MOVEit file transfer solutions, attributed to advanced persistent threat group Lace Tempest.
The Nova Scotia government and another victim, payroll service provider Zellis, confirmed they were attacked through their use of MOVEit, while the BBC, British Airways and Boots said their employee data was exposed as a result of using Zellis’ services.
Meanwhile, the company behind MOVEit, Progress Software, said on Monday it had patched the cloud version of its popular enterprise file transfer solution, MOVEit Cloud, as well as releasing a patch for customers using the on-premise version, MOVEit Transfer.
Zellis said in a statement a “small number” of its customers had been affected by the attack but its own software and the rest of its IT infrastructure was unaffected.
“Once we became aware of this incident we took immediate action, disconnecting the server that utilises MOVEit software and engaging an expert external security incident response team to assist with forensic analysis and ongoing monitoring.”
The Nova Scotian government said some citizens’ personal information had been breached but it was still working to determine exactly what data had been stolen and how many people were affected.
“Nova Scotians will have questions, and we do, too,” said Cyber Security and Digital Solutions Minister Colton LeBlanc. “Our staff are working hard to figure that out now.”
In an update from Progress Software the company’s chief information security officer, Richard Barretto, said the vulnerability appeared to be limited to the two products it had patched: MOVEit Cloud and MOVEit Transfer.
“At this time, there is no evidence that the Progress environment or any other Progress software products were impacted,” he said.
“We disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours. We have also implemented a series of third-party validations to ensure the patch has corrected the exploit.”
While Progress Software has been praised for moving quickly after the attack, researchers are concerned many more victims are likely to emerge. Some may not yet be aware they have been hacked while others are likely to be slow to patch.
Security researcher Kevin Beaumont described the attack as a “smash and grab” which he said targeted more than 100 large and prominent organizations, and was carried out over the Memorial Day holiday weekend.
Lace Tempest, which runs the Clop extortion site, has a reputation for taking its time to make ransom demands after carrying out attacks.
Beaumont said the threat group was likely to “drip feed” their extortion threats to victims “over months, not days.”
He said users of MoveIT Transfer “should assume compromise, not just patch."