British Airways, Boots and the BBC shared a common supplier, which in turn had been compromised by a supply chain attack.

A supply chain attack seems to have affected British Airways, the British Broadcasting Corporation (BBC) and Boots, among others firms. The supplier-in-common is payroll software firm, Zellis, which was compromised by a new zero day vulnerability (CVE-2023-34362) in the MOVEit platform, and this had been publicly disclosed earlier.

Microsoft’s threat intelligence teams have indicated that the group behind this breach is one previously known to have deployed another ransomware known as Cl0p ransomware, according to Toby Lewis, Head of Threat Analysis, Darktrace.

Zellis is just one customer of the file management platform, and there will likely be other organizations affected that have not yet been disclosed, said Lewis: “This incident appears to be limited to data theft from customers of the MOVEit platform. The exploit allows attackers to potentially view files people upload to MOVEit. It doesn’t seem to provide the access needed for an attacker to directly deploy ransomware, nor allow attackers to move internally through to the rest of the affected customer’s network. Nevertheless, if sensitive material is being transferred through MOVEit, this exploit can expose enterprises to extortion with the threat of publication of stolen data.”

Said Satnam Narang, Snr, Staff Research Engineer, Tenable: “Clop were also responsible for exploiting zero-days in other file transfer solutions like CVE-2023-0669 in GoAnywhere earlier this year, and four Acellion vulnerabilities (CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104) in late 2020. They’ve slowly pivoted towards a focus on data exfiltration, as evidenced in the targeting of file transfer solutions. In the grand scheme of things, data encryption alone is not enough of an incentive for victim organizations to pay exorbitant ransom demands. However, data exfiltration and threats to publish stolen data hold much more weight and are largely what has powered double extortion and ransomware groups to find so much success.”