Connect with us

Tech News

More data stolen in 2023 MOVEit attacks comes to light

Published

on

More data stolen in 2023 MOVEit attacks comes to light

After a significant cyber incident that occurred eighteen months ago, where a ransomware gang exploited a zero-day SQL injection vulnerability in Progress Software’s MOVEit Transfer file transfer product, new victims have emerged. One of the latest victims to come to light is tech giant Amazon, which has confirmed that data on over two million of its employees has been leaked.

The vulnerability, known as CVE-2023-34362, was a critical zero-day SQL injection flaw in the MOVEit Transfer tool. Although it was patched at the end of May 2023, the Cl0p/Clop ransomware operation managed to use it to carry out a large-scale breach affecting organizations globally.

Among the victims in the UK were the BBC, Boots, and British Airways, all compromised through the payroll and human resources IT specialist Zellis.

This week, researchers at Hudson Rock revealed details of a major data leak involving at least 25 organizations orchestrated by an actor using the handle Nam3L3ss. This actor posted the data in CSV format on an underground cyber criminal forum.

The leaked data includes employee records from major companies such as HP, HSBC, Lenovo, Omnicom, Urban Outfitters, British Telecom, and McDonalds. The largest amount of data, totaling over 2.8 million records, came from Amazon.

According to Alon Gal from Hudson Rock, the leaked dataset contains contact information, organizational roles, and departmental assignments within Amazon, putting employees at risk of social engineering and targeted phishing attacks.

In a statement to the media, Amazon’s senior PR manager, Adam Montgomery, confirmed the breach, stating that the only information involved was employee work contact information like work email addresses, desk phone numbers, and building locations. Amazon and AWS systems were reported to remain secure without experiencing a security event.

See also  Cups Linux printing bugs open door to DDoS attacks, says Akamai

Amazon did not disclose the specific organization through which it was affected.

Link to Cl0p?

Screenshots of posts made by Nam3Less, shared with Computer Weekly by researchers at Searchlight Cyber, indicate that the actor claimed not to be a hacker or affiliated with any ransomware group. They stated that they did not engage in buying or selling data but monitored the dark web and other exposed services like AWS Buckets, Azure Blobs, and MongoDB servers.

Nam3L3ss expressed a belief that companies and government agencies should encrypt their data during transfers and password protect their online storage to prevent leaks. They emphasized the importance of holding these entities accountable for protecting citizen data.


Threat actor Nam3L3ss claims motivation behind data leak is to hold governments and businesses accountable

The potential link between Nam3L3ss and the Cl0p ransomware gang remains unclear and unconfirmed. Despite their claims, statements made by threat actors should be viewed with skepticism. Nam3L3ss could have ties to the gang or may have acquired the data through other means.

Searchlight threat intelligence analyst Vlad Mironescu stated, “Nam3L3ss claims not to be a hacker and shares data downloaded from various sources. The data, including the Amazon information, appears to be sourced from victims of the previous MOVEit attacks orchestrated by Cl0p. While Nam3L3ss is not directly associated with ransomware groups, they are redistributing the data they discovered.”

Mironescu added, “Although the actor shares the data for free or in exchange for forum credits, the dissemination of this data on BreachForums could enable numerous hackers to misuse it for malicious purposes.”

Dark web

Kevin Robertson, COO at Acumen Cyber, commented on the data flow across the dark web, noting how stolen data resurfaces in the news and reaches other attackers over time.

See also  Data bill will boost NHS and police access to data, says government

He mentioned the MOVEit breach from the previous year, which impacted numerous organizations and individuals globally, highlighting how attackers continue to profit from stolen data. While Nam3L3ss may not have been involved in the initial MOVEit attack, they have obtained some of its data, demonstrating how stolen data is traded on the dark web.

Trending