The cyber actors, were able to infiltrate the MOVEit Transfer and MOVEit Cloud products by exploiting a zero-day vulnerability that allows them to breach company networks and steal data.
On June 8, the HSE became aware that they had been impacted by the compromised MOVEit Transfer product as a result of work being carried out on their systems by EY. The HSE was working with EY to automate its recruitment process using the MOVEit Transfer product produced by Progress Software Corporation.
Following this, the HSE investigated the impact of the data breach and determined that “it is likely that no more than 20 individuals involved in the recruitment process” were affected. The data accessed by the hackers included names, addresses, mobile numbers and positions of those on the recruitment panel, as well as more general information about the job roles to be filled. The HSE say that no other personally identifying or financial information was accessed during the cyber attack.
"The HSE became aware yesterday evening (Thursday, 8th June) that an external partner (EY) working with us on a project to automate part of our recruitment process was alerted to a cyber-hack of the technology product MoveIT Transfer which they were using to support this work.
This attack was criminal in nature and international in scale. HSE teams together with EY have worked closely over the last number of hours to determine the impact on HSE data. This analysis has determined that is it likely that information relating to no more than 20 individuals involved in recruitment processes was accessed."
“The data on these recruitment panels is comprised of names, addresses, mobile number, place on the panel and more general information on the posts being recruited. Importantly no other personal identification data or financial data is included. The HSE is in contact with relevant authorities and is informing the Data Protection Commission. Contact will be made shortly with those individuals whose data was accessed.”
From the end of May, 2023, multiple reports appeared that a zero-day vulnerability in MOVEit Transfer was being actively exploited to gain access to MOVEit servers. Threat actors were using this vulnerability to upload a web shell, exfiltrate data and initiate intrusion lifecycles. MOVEit Transfer and MOVEit Cloud are products/services of Progress Software Corporation that provides secure collaboration and automated file transfers for sensitive data. It is widely used by numerous organizations globally.
Ransomware "Lace Tempest", notorious for carrying out ransomware operations and running the extortion site known as "Cl0p" were linked to recent cyber attacks on data transfer products MOVEit Transfer and MOVEit Cloud. The attack on MOVEit has also directly led to a data breach affecting, Ofcom and the UK payroll services provider Zellis, who also uses MOVEit as a third-party provider, which impacted many of their customers, including:- Boots, BBC, British Airways and Aer Lingus.
On May 31, 2023, Progress informed about a critical vulnerability (CVE-2023-34362) in its MOVEit Transfer software, which could potentially lead to privilege escalation and unauthorized access on affected systems through SQL injection (SQLi) in the MOVEit Transfer web application.
Depending on the database engine used, such as MySQL, Microsoft SQL Server, or Azure SQL, an attacker can gain access to the database’s structure and contents, and even execute SQL statements to modify or delete data. The attackers are using a backdoor known as “human2.aspx”. Researchers have analyzed this backdoor and determined the following functionalities:
Technical Resources & Reference
- Patches for supported MOVEit Transfer versions have been released and are available from the Progress Software Corporation website located here.
- Supported versions are listed via this link.
- As of June 2, 2023, the vulnerability was assigned CVE-2023-34362.
Lace Tempest, also called Storm-0950, is a ransomware affiliate that overlaps with other groups such as FIN11, TA505, and Evil Corp. It's also known to operate the Cl0p extortion site.
If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:
By email:
secretary@iisf.ie
By post:
David Cahill
Information Security
GPO, 1-117
D01 F5P2
Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland
Invitations for Annual Sponsorship of IISF has now reopened.
Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more