Major Data Breach Exposes BA, BBC and Boots to File Transfer Hack: What You Need to Know

Updated: 06 June 2023

Disclosure

Don’t invest unless prepared to lose all the money you invest. This is a high-risk investment, you shouldn’t expect to be protected if something goes wrong.

Join Our Telegram channel to stay up to date on breaking news coverage

Authorities confirmed a massive data breach that has exposed bank details of employees at thousands of firms, including BA, Boots, and the BBC in the U.K.

Major Data Breach Exposes Bank Info of Companies, Linked to Russian Hackers

Hackers exploited a vulnerability in the file transfer system called MOVEit Transfer, leading to potential access to sensitive personal information from all affected companies. According to experts, the hack is believed to be linked to a Russia-based group that has been involved in several attacks since Putin’s invasion of Ukraine.

The MOVEit Transfer exploitation is not just SQL injection(👀)

We uncovered the very last stage of the attack chain to drop human2.aspx ultimately ends up gaining remote code execution ‼

We fully recreated the attack chain with a demo achieving a reverse shell & ransomware! pic.twitter.com/dPQX80wLQ8

— John Hammond (@_JohnHammond) June 6, 2023

Many global companies widely used the file transfer system, developed by US-based Progress Software for file and data transfers. Last week (June 1), a discovery of a vulnerability in the MOVEit system was made. However, the extent of the companies’ compromise was not confirmed. Today, B.A., with approximately 34,000 UK staff, revealed that the data breach had heavily affected it.

According to a B.A. spokesperson, the cybersecurity incident is linked to Zellis, a third-party supplier responsible for payroll support services. Zellis stated the hack impacted eight of its customers, including B.A. Zellis acknowledged the global issue of a zero-day vulnerability in Progress Software’s MOVEit Transfer product and is actively assisting its affected customers.

The BBC and Boots, which employ approximately 50,000 people, also announced that their data had also been compromised in the attack. Experts have emphasized the necessity for more robust supply chain security considering this incident. According to Javvad Malik, the lead security analyst at KnowBe4, the recent theft of sensitive data from B.A. and Boots underscores the importance of enhancing cybersecurity controls. Furthermore, addressing the challenges of securing the supply chain is an added advantage.

He also emphasizes that exploiting zero-day vulnerabilities poses a significant threat to I.T. teams. John Shier, the CTO at cybersecurity firm Sophos, echoed these sentiments, highlighting the significance of supply chain security in light of the recent wave of attacks.

Critical SQL Injection Vulnerability in Progress MOVEit Transfer (CVE-2023-34362)

Cybersecurity & Infrastructure Security Agency (CISA) has added a security bug in the Progress MOVEit Transfer managed file transfer (MFT) solution to its list of known exploited vulnerabilities and has ordered U.S. federal agencies to patch their systems by June 23. The bug, tracked as CVE-2023-34362, is an SQL injection vulnerability that allows remote attackers to access MOVEit Transfer’s database and execute arbitrary code without authentication.

🚨 URGENT: Critical vulnerability found in MOVEit Transfer. Urgent action required for all users. Patch immediately to ensure #CyberSecurity. More info 👉https://t.co/cwXxo9fOyV #InfoSec

— CISA Cyber (@CISACyber) June 1, 2023

The November 2022 binding operational directive (BOD 22-01) requires Federal Civilian Executive Branch Agencies (FCEB) to patch this vulnerability once it is added to CISA’s Known Exploited Vulnerabilities catalog. Private companies are also strongly advised to prioritize securing their systems against this actively exploited flaw in MOVEit Transfer.

Progress recommends all customers apply the necessary patches to prevent exploitation and potential breaches. If immediate patching is impossible, disabling all HTTP and HTTPS traffic to MOVEit Transfer environments can reduce the attack surface.

Threat actors have been actively exploiting CVE-2023-34362, a zero-day vulnerability, since at least May 27, as confirmed by Mandiant CTO Charles Carmakal. This occurred four days before Progress publicly disclosed the vulnerability and started developing security patches for affected systems.

According to Carmakal, the vulnerability has been widely exploited, leading to significant data theft. The threat actor’s motivation is currently unknown, but organizations are advised to be prepared for possible extortion and the public release of stolen data.