Data on at least 100,000 employees in Nova Scotia’s healthcare sector were stolen as the result of the vulnerability in Progress Software’s MOVEit file transfer application, the province said Tuesday.
Data stolen includes Social Insurance numbers, addresses and banking information of employees of Nova Scotia Health, the public service and the IWK Health Centre, which is a major pediatric hospital and trauma centre.
The provinces uses MOVEit for transferring payroll information. It has begun notifying victims.
The Clop/Cl0p ransomware gang told BleepingComputer it is behind the MOVEit Transfer data-theft attacks. For infosec teams running Microsoft’s Defender Threat Intelligence service, Microsoft calls this group Lace Tempest.
According to the BBC, other victims include the BBC, British Airways, British pharmacy chain Boots and Irish airlines Aer Lingus.
The SQL injection zero-day vulnerability was announced by Progress Software on May 31. Researchers at Mandiant think the earliest evidence of exploitation occurred on May 27, resulting in the deployment of web shells and data theft. In some instances, the researchers say, data was stolen within minutes of the deployment of web shells.
The vulnerability is known as CVE-2023-34362.
Many researchers say IT departments who either didn’t install the patch immediately or were using unaffected versions of the on-premises or cloud version of MOVEit should assume their systems have been compromised.
Researchers at Huntress Labs said as of Jun. 1, a scan of the web using the Shodan search engine suggested there were over 2,500 servers publicly available on the open internet.
Huntress researchers created an exploit that allowed it to receive shell access with Meterpreter, escalate to Windows’ NT AUTHORITY\SYSTEM and detonate a Cl0p ransomware payload. “This means that any unauthenticated adversary could trigger an exploit that instantly deploys ransomware or performs any other malicious action,” the researchers conclude. “Malicious code would run under the MOVEit service account user moveitsvc, which is in the local administrators group. The attacker could disable antivirus protections, or achieve any other arbitrary code execution.”
Researchers at CrowdStrike say the webshell created by an attacker will utilize an existing user account with permission level “30” or a new randomly generated username to establish a persistent session within the MOVEit application. Their blog has instructions on how infosec teams can investigate a possible compromise.
The stolen data could be used for social engineering attacks or ransom, noted Tim West, head of threat intelligence at WithSecure. He noted that British Airways said payment information of its employees was stolen, but organizations should expect the bulk of data to be ransomed and/or uploaded to a leak site.