Hackers Exploit MOVEit Zero-Day Flaw to Steal Data from Several Big Organizations

Published by Shipra Sanganeria on Jun 6, 2023

A zero-day vulnerability found in MOVEit file transfer software was exploited by a prominent ransomware group to attack multiple companies and a provincial government.

According to reports, UK-based BBC, Boots, British Airways (BA) and the government of Nova Scotia, Canada are some of the prominent organizations affected. As this flaw affects all MOVEit transfer versions, the actual number of organizations affected by this vulnerability remains unknown.

Some of the victims, including BBC and BA, revealed that their outsourced payroll provider, Zellis, was affected by the vulnerability. Its dependence on MOVEit transfer software (provided by Progress Software) for providing the payroll services led to this mishap. Zellis in a separate statement also admitted that some of its customers were impacted, although the exact number and names were not revealed.

It stated that containment measures were deployed as soon as it became aware of this vulnerability, including disconnecting servers using MOVEit software, informing appropriate authorities in the UK and Ireland, as well as engaging with external cybersecurity and forensic experts.

This vulnerability was revealed by Progress Software on May 31, when it notified its customers about the flaw found in both MOVEit transfer and Cloud. Although Progress immediately released security patches for this flaw, cybersecurity firms like Mandiant and Rapid7 reported its exploitation by ransom gangs.

The current attacks were attributed to Lace Tempest (FIN11, TA505) which is known to operate the CI0p ransomware site, reported Microsoft. Its modus operandi involves exploiting zero-day flaws to access system databases to steal data for extortion. The gang is also known to threaten and publish data of unwilling victims on its website.

Some of BBC & Boot’s employees’ data that may have been breached include names, National Insurance number, partial home addresses, email IDs and employee numbers.

UK’s National Cyber Security Centre has also advised organizations’ using MOVEit transfer software ‘’to take immediate action by following vendor best practice advice and applying the recommended security updates.”