The aftermath from the actively exploited zero-day vulnerability in MOVEit, the latest in a series of attacks targeting file-transfer services this year, bears the markings of widespread compromise for potentially thousands of customers.

A spree of attacks observed by multiple cybersecurity firms has amplified concerns and captured the attention of cyber authorities, threat researchers and analysts since the zero-day vulnerability was disclosed by Progress Software on Wednesday.

An initial wave of victims started coming forward on Monday, including British Airways, the government of Nova Scotia and others.

Multiple customers of Zellis, a payroll provider that services hundreds of companies in the U.K. that was compromised by the zero-day vulnerability in MOVEit, are impacted. 

“We have been informed that we are one of the companies impacted by Zellis’ cybersecurity incident, which occurred via one of their third-party suppliers called MOVEit,” a British Airways spokesperson said in a statement.

The vulnerability, which was assigned CVE-2023-34362 on Friday, is a SQL injection vulnerability that has been exploited by a new threat actor to gain access to and steal data from MOVEit databases.

“When organizations have publicly accessible information that contains high volumes of data, it makes for an easy target,” Erik Nost, senior analyst at Forrester, said via email.

“Lots of these file transfer protocol procedures have been in use for a long time, making it difficult to change business as usual for these organizations, and attackers know this as well,” Nost said.

Thousands of customers at risk

Progress declined to answer questions about how many customers currently use MOVEit, but researchers at Censys said they’ve observed more than 3,000 hosts exposed to the internet currently running the service as of Monday.

Enterprises across multiple industries, including finance and education, and federal and state government agencies currently use MOVEit, according to Censys.

The vulnerability impacts on-premises and cloud-based versions of MOVEit. The vendor issued a patch for on-premises versions of MOVEit on Thursday and said it patched cloud test servers that same day.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the Cybersecurity and Infrastructure Security Agency said Friday in an alert.

Progress advised customers to check for indicators of compromise going back at least 30 days, but researchers at GreyNoise said they observed malicious scanning activity as early as March 3. As a result, the cybersecurity firm encouraged MOVEit customers to hunt for potentially malicious activity back to early March at least.

The earliest known exploitation of the MOVEit vulnerability occurred over Memorial Day weekend on May 27, resulting in the deployment of web shells and data theft, according to Mandiant.

“In some instances, data theft has occurred within minutes of the deployment of web shells,” Mandiant researchers said in a blog post Friday.

“We are already identifying active intrusions at several clients and expect many more in this short term,” John Hultquist, chief analyst at Mandiant Intelligence, said in a statement.

Mandiant attributes the attacks to a new threat cluster it identifies as UNC4857, a group that has exploited zero-day vulnerabilities in file transfer systems and used tailored web shells for data exfiltration.

Microsoft attributed the attacks to Clop, a group it identifies as Lace Tempest under its new threat actor naming taxonomy.

Follow-on attacks expected

Analysts, researchers and threat hunters all warned customers to anticipate potential ransomware attacks, extortion and data theft.

“Attackers are actively seeking vulnerabilities in common software components that can be exploited at scale across a number of victims,” Peter Firstbrook, distinguished VP analyst at Gartner, said via email.

“File transfer has the bonus of being a repository of critical information that can be sold or ransomed,” Firstbrook said.

File transfer systems can carry “treasure troves of data,” which threat actors can use to initiate other attacks such as ransomware and extortion, Nost said.

MOVEit has customers across highly regulated industries, exemplifying the potential damage that could already be done among government, finance and healthcare organizations.

“What makes this vulnerability particularly noteworthy is the prevalence of use for MOVEit across government, education, medical and financial organizations,” Sharon Martin, product architect at Huntress, said via email.

“This means that there is more likely to be sensitive information sent via MOVEit Transfer that the organizations using it would not want threat actors getting their hands on,” Martin said.

A spokesperson for Progress said the company takes its customers’ security very seriously.

“We took immediate measures to protect customers,” the spokesperson said. “First providing instructions for immediate mitigation, followed by the release of a patch to all MOVEit Transfer customers within 48 hours of identifying the vulnerability.”