The PoC exploit for MOVEit was released on Friday, June 9th, while OfCom announced the cyber attack on Wednesday, June 12th.
Ofcom, the UK communications regulator, has fallen victim to the widespread Cl0p extortion campaign, which targets a zero-day vulnerability in MOVEit software. In an official statement, Ofcom confirmed that although its own systems remained uncompromised, threat actors were able to gain access to information belonging to both regulated companies and Ofcom employees.
It is worth noting that while the Cl0p gang is conducting a widespread campaign targeting organizations exploiting MOVEit vulnerability, security researchers have taken the initiative to release a proof-of-concept (PoC) exploit for a specific vulnerability known as CVE-2023-34362.
During the attack, according to Ofcom’s statement, a limited amount of information, including confidential data, of certain regulated companies and personal data of 412 Ofcom employees was downloaded by the attackers. Ofcom took immediate action by suspending the use of the compromised MOVEit service and implementing recommended security measures.
Additionally, they promptly notified all affected companies under their regulation and continue to provide support and assistance to their colleagues.
In a comment to Hackread.com, Chris Hauk, consumer privacy champion at Pixel Privacy said that “This is just the latest in a recent series of cyberattacks using vulnerabilities in the MOVEit Transfer file transfer application. While short-term we can certainly expect to see more of these attacks, hopefully, there will be a long-term reduction in the attacks, thanks to the patch released by Progress Software a few days ago.”
This incident comes shortly after the Irish health service (HSE) disclosed that it had also been impacted by the same data-stealing campaign. The HSE reported that an external partner, EY, working on a recruitment automation project had detected a cyberattack targeting the MOVEit technology they were utilizing.
However, the breach was limited in scope, with only information pertaining to approximately 20 individuals involved in recruitment processes being accessed. The compromised data included names, addresses, mobile numbers, positions on the recruitment panel, and general information about the posts being recruited. Importantly, no personal identification or financial data was compromised.
The Clop ransomware group’s affiliate has been attributed to this campaign, which exploited a zero-day vulnerability (CVE-2023-34362) in the popular file transfer software, allowing them to exfiltrate data from numerous global companies.
Following the release of a proof-of-concept exploit last Friday, the risk of copycat attacks has potentially increased. Organizations still operating unpatched, internet-exposed servers are strongly advised to promptly update their systems to mitigate potential vulnerabilities.