Over a year since the infamous MOVEit Transfer cyber attacks affected thousands of organisations, more new victims have come to light after an anonymous threat actor leaked their data on the dark web
By
-
Alex Scroxton,
Security Editor
Published: 12 Nov 2024 16:10
Eighteen months after a major cyber incident in which hundreds of organisations were victimised by a ransomware gang that exploited a zero-day SQL injection vulnerability in Progress Software’s MOVEit Transfer file transfer product, multiple new victims have come to light, including tech giant Amazon, which has confirmed that data on more than two million of its employees has been leaked.
CVE-2023-34362 is a critical zero-day SQL injection vulnerability in the MOVEit Transfer tool, which was patched at the end of May 2023, but unfortunately not before the Cl0p/Clop ransomware operation was able to use it to orchestrate a mass breach of organisations worldwide.
Victims in the UK included the BBC, Boots and British Airways – all of which were compromised via payroll and human resources IT specialist Zellis.
This week, researchers at Hudson Rock published details of a major data leak affecting at least 25 organisations, orchestrated by an actor using the handle Nam3L3ss, who posted them to an underground cyber criminal forum in CSV format.
According to Hudson Rock’s Alon Gal, the data includes employee records from major companies including HP, HSBC, Lenovo, Omnicom, Urban Outfitters, British Telecom and McDonalds, but by some margin the biggest tranche of data – a total of over 2.8 million records – has come from Amazon.
Gal said the dataset included contact information and data on organisational roles and departmental assignments within Amazon, which could put employees at risk of social engineering and tailored phishing attacks.
“Hudson Rock researchers were able to verify the authenticity of the data by cross-referencing emails from the leaks to Linkedin profiles of employees, and to emails found in infostealer infections where employees in the affected companies were involved,” wrote Gal.
In a statement circulated to media, Amazon senior PR manager Adam Montgomery confirmed the veracity of the breach.
“We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon. The only Amazon information involved was employee work contact information, for example work email addresses, desk phone numbers, and building locations,” said Montgomery.
“Amazon and AWS systems remain secure and we have not experienced a security event,” he said.
Amazon did not name the organisation through which it was affected.
Link to Cl0p?
In screenshots of posts made by Nam3Less, shared with Computer Weekly by researchers at Searchlight Cyber, the actor claimed they were neither a hacker nor affiliated with any ransomware group. They also said they did not buy or sell data,