The number of victims falling prey to the mass hack of the software MOVEit continues to grow, as more details emerge.
However, we can reassure all our customers that Osirium does not use and has never used the MOVEit transfer software, and we are not affected by this attack.
British Airways, the BBC and Boots were among the first to be named.
Media watchdog Ofcom and Transport for London are some of the latest to say they've been hit by the breach, reportedly orchestrated by hackers linked to a Russian ransomware group.
Accountancy firm Ernst & Young (EY) told the BBC it was affected, while US banks and universities have now reportedly been listed as victims by the gang claiming responsibility for the hack.
The software is used by businesses around the world to securely share highly sensitive data, such as bank account details.
NIST reported: “A SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.”
An attacker may be able to “infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements, "it added.
This is an extremely serious case, emphasised by the fact NIST has given it a 9.8 base score on its vulnerabilities database and labelled it ‘critical’ – something we very rarely see.
It’s the 1% of the 1% of exploits.
With the highly confidential and personal nature of the files that are shared on MOVEit, combined with the fact that the software is internet-facing, makes this the perfect storm.
In some cases, the attack occurred indirectly via a third-party supplier - Zellis, a payroll software provider - that was hit itself.
Zellis confirmed “a small number of our customers have been impacted by this global issue and we are actively working to support them”, adding: “All Zellis-owned software is unaffected and there are no associated incidents or compromises to any other part of our IT estate.”
The National Cyber Security Centre said: “A number of organisations whose supply chains use the MOVEit app have suffered a data breach as a result, with customer data being stolen.”
Working closely with third parties, whilst bringing many benefits, can add substantial risks unless certain key security measures are in place, including the right controls and monitoring.
When working with a supplier, organisations need to secure remote access without exposing the keys to their kingdom. It’s vital to separate third parties from credentials, use multi-factor authentication, record sessions and not allow VPN access.
If you want to review your organisation’s security approach around third party access, talk to us about how we can help. Get in touch today.