Pierluigi Paganini
June 16, 2023
Oil and Gas giant Shell has confirmed that it is one of the victims of the recent large-scale ransomware campaign conducted by the Clop gang exploiting a MOVEit zero-day vulnerability
Threat actors are actively exploiting the zero-day vulnerability, tracked as CVE-2023-34362, to steal data from organizations worldwide.
The company is investigating the security breach and said that at this time the attack had no impact to its core IT systems.
“We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers,” said Shell US spokesperson Anna Arata in a statement. “There is no evidence of impact to Shell’s core IT systems,” Arata added. “Our IT teams are investigating to understand and manage any risks, and take appropriate action, she said.
The Clop ransomware gang claims to have hacked hundreds of companies by exploiting the above issue.
Kroll researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit software since 2021.
At the time of this writing, the Clop ransomware group already added 27 companies to the list of victims on its dark web leak site. The group claimed to have compromised the companies by exploiting the zero-day CVE-2023-34362.
The group published the following message on its leak site to clarify the theft of data from government agencies reported by some media:
“WE GOT A LOT OF EMAILS ABOUT GOVERNMENT DATA, WE DON’T HAVE ANY GOVERNMENT DATA AND ANYTHING DIRECTLY RESIDING ON EXPOSED AND BAD PROTECTED NOT ENCRYPTED FILE TRANSFER WE STILL DO THE POLITE THING AND DELETE ALL. ALL MEDIA SPEAKING ABOUT THIS ARE DO WHAT ALWAYS THEY DO. PROVIDE LITTLE TRUTH IN A BIG LIE. WE ALSO WANT TO REMIND ALL COMPANY THAT IF YOU PUT DATA ON INTERNET WHERE DATA IS NOT PROTECT DO NOT BLAME US FOR PENETRATION TESTING SERVICE. WE ARE ONLY FINANCIAL MOTIVATED AND DO NOT CARE ANYTHING ABOUT POLITICS.“
By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States. At this time the number of installs located in the UK is 127.
UK’s communications regulator Ofcom is another victim of the ongoing ransomware campaign conducted by the Clop group. Recently another data breach made the headlines, the hack of the payroll services provider Zellis.
The instance of MOVEit Transfer managed by the payroll processor Zellis was used by the company to exchange files with tens of companies, this means that the number of impacted firms could be significant.
As a result of the cyber attack on the payroll provider Zellis, the personal data of employees at the BBC and British Airways has been compromised and exposed.
One of Zellis’s customers, the British health and beauty retailer and pharmacy chain Boots also confirmed to have been impacted by the attack. Another firm impacted by the data breach is the airline Aer Lingus which confirmed that “some of our current and former employee data” has been disclosed.
In March 2021, Shell disclosed another data breach resulting from the compromise of an Accellion File Transfer Appliance (FTA) used by the company.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
