Ransomware attacks sending shockwaves worldwide

• British Airways, BBC News, Boots, Globalcaja disclose cyberattacks.
• Highlight the importance of software supply chain.

Four new victims have emerged in the recent wave of ransomware attacks. British Airways, BBC News, Boots Pharmacy, and Spanish bank Globalcaja have disclosed falling prey to the cyberattacks, compromising sensitive customer and employee data, including names, addresses, national insurance numbers, and banking details.

For British Airways, BBC News, and Boots Pharmacy, earlier indications from Microsoft pointed towards a Russian-speaking ransomware gang as the possible culprit behind these attacks.

Statements from multiple affected entities confirm that several companies, along with a Canadian province, are currently grappling with security breaches associated with MOVEit, the secure file transfer product from Progress Software Corp. This recent disclosure highlights the extent of the impact caused by these breaches.

Sensitive information exposed due to breaches

In a significant development, cybercriminals exploited a zero-day vulnerability in MOVEit, a file transfer system developed by Progress Software. This flaw granted them unauthorized access to data from numerous global companies utilizing MOVEit Transfer. As a result, thousands of firms are believed to have been affected. In response to this vulnerability, security organizations, including the US Department of Homeland Security, the UK National Cyber Security Centre, Microsoft Corp, and Mandiant (a subsidiary of Alphabet Inc’s Google Cloud), have issued security alerts.

Progress Software promptly investigated the vulnerability and provided immediate mitigation steps to inform and assist its MOVEit customers. The hackers responsible for the attacks on MOVEit servers have also been identified as the operators of the Clop extortion website.

Clop is a ransomware variant that has been deployed against organizations worldwide, with the associated hacking group engaging in data theft and threatening to release the stolen information unless a ransom is paid.

According to Trend Micro Inc., this hacking group, primarily targeting the healthcare and financial sectors, has been active since February 2019. It has previously targeted other secure file transfer products, including those developed by Accellion and Fortra. It is estimated that there are thousands of vulnerable MOVEit servers globally, making them susceptible to exploitation through this software flaw.

Consequently, it is anticipated that criminal hackers will initiate contact with affected companies, demanding cryptocurrency payments to prevent the public release of their stolen data.

A search by Bloomberg News revealed publicly visible MOVEit servers utilized by various organizations, including law firms, healthcare institutions, and IT firms. Notably, an email sent to Bloomberg News by a representative of the extortion gang claimed that data stolen from military, government, children’s hospitals, and police organizations had been deleted. However, the veracity of this assertion cannot be independently verified.

Data compromised: British Airways, Boots, BBC, and Globalcaja affected

The government of Nova Scotia has initiated an investigation into the theft of personal information associated with the MOVEit vulnerability. In a statement, the government expressed its commitment to determining the stolen data and the number of individuals impacted by the breach.

British Airways acknowledged that the hack exposed personal information belonging to its approximately 35,000 employees, including names, surnames, dates of birth, and potentially, banking details.

Boots, a company with over 50,000 employees, confirmed that the personal details of its staff were affected by the incident. A spokesperson for Boots, owned by Walgreens Boots Alliance, assured the public that the affected server has been deactivated and that employees have been duly notified about the breach.

The BBC also confirmed being impacted by the attack. A spokesperson for the organization expressed urgency in determining the scope and magnitude of the data breach.

Another ransomware attack targeted Globalcaja, with the Play ransomware gang including the bank in its list of victims on the Tor leak site. The group asserts that they have obtained sensitive data such as private client and employee documents, passports, contracts, etc. If the bank fails to pay the ransom, the stolen data will be published on June 11, 2023.

Globalcaja acknowledged the incident in a press release, though the financial institution tried to minimize the impact by stating that it did not disrupt the entity’s transactions or its clients. Nevertheless, certain operations are temporarily restricted as part of the incident response procedure.

Ransomware attacks are showing no sign of slowing down

Tech Wire Asia contacted Kelly Ray, Principal Security Engineer at Synopsys Software Integrity Group, to share his insights on this incident. Ray emphasized the significant breach, highlighting the importance of the software supply chain in data privacy. In this incident, a single vulnerability in a piece of software run by a third-party vendor led to the compromise and exposure of personal employee data across multiple organizations serviced by the vendor.

“The depth of this breach is still being investigated, but it will be interesting to see how GDPR will assess fines for the various organizations involved in this incident, as the software supply chain aspect certainly complicates matters,” Ray emphasized. “Ransomware attacks are showing no signs of slowing down regardless of the industry. Banking, healthcare, and even critical infrastructure, as we saw in the 2021 Colonial Pipeline incident, are prone to attack.”

Ray advises organizations to stay hyper-vigilant when it comes to securing their environments. Overlaying multiple cybersecurity techniques provides the best chance of preventing a breach, as relying on just one solution will not suffice. Keeping software patches up to date, implementing email spam filtering and DNS blocking, deploying intrusion detection systems, and fostering employee awareness are among the methods that can be used to help fend off malicious actors.

The growing frequency and impact of ransomware attacks serve as a stark reminder of the evolving threat landscape and the critical need for organizations to prioritize robust cybersecurity measures to protect their data and mitigate risks.

---

---

---

---