At a glance.
- Second MOVEit bug discovered.
- Shell Recharge data spilled on open web.
- University of Manchester discloses cyberattack.
- Fortra GoAnywhere ransomware incident affects other victims.
Second MOVEit bug discovered.
Software company Progress announced it has detected a second vulnerability in MOVEit, a file transfer product popular among government agencies and large companies. Progress reported the first bug on May 31, and on Friday it announced that subsequent code reviews of the MOVEit product revealed a new vulnerability that could allow an attacker to gain unauthorized access to view or even modify data stored in the MOVEit Transfer database. “The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited,” Progress wrote in a statement. The Record reports that a patch for the new vulnerability has already been released and Progress is urging companies to employ it as soon as possible.
Also on Friday, the Minnesota Department of Education (MDE) became the latest in a string of companies to disclose that they had been attacked as a result of the initial MOVEit bug. MDE said twenty-four department files were infiltrated on May 31 and some contained sensitive student info. “These files included data transferred to MDE from the Minnesota Department of Human Services (DHS) to meet state and federal reporting requirements, as well as files from two school districts (Minneapolis and Perham), and Hennepin Technical College,” they wrote. The files contained data on about 95,000 students placed in foster care, as well as students in the school’s food assistance programs.The BBC, British Airways, Irish carrier Aer Lingus, and Boots are among the organizations who have also disclosed breaches as a result of the MOVEit vulnerability.
Shell Recharge data spilled on open web.
British multinational oil company Shell has disclosed that a security researcher discovered an exposed internal database online containing personal info belonging to users of the Shell Recharge, the company’s global network of electric vehicle charging stations. Anurag Sen, the researcher who unearthed the database hosted on Amazon’s cloud, says it contained nearly a terabyte of Shell Recharge logging data including customer names, email addresses, phone numbers, and in some cases, vehicle identification numbers. It also included the names of fleet operators and organizations with vehicles that recharge on the network, as well as locations of Shell’s EV charging stations, including private residential charging points. The database was not password protected, meaning anyone on the internet could access it from their web browser, and it’s unclear how long it was exposed before Sen’s discovery. Shell spokesperson Anna Arata told TechCrunch, “Shell has taken steps to contain and identify an exposure of Shell Recharge Solutions data. We are investigating the incident, continue to monitor our IT systems, and will take any necessary future actions accordingly.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, thinks the incident looks like a misconfiguration. "This appears to be another case of a misconfigured Amazon cloud data bucket. Developers must use care in how they configure their data buckets, otherwise they leave the data open to being grabbed by bad guys, which could cause havoc for their customers. In Shell's case, customers and employees will want to stay alert for any phishing attempts that use the information found in the database in an attempt to gain access to company and customer accounts and other information."
Paul Bischoff, Consumer Privacy Advocate at Comparitech, notes the speed with which an unprotected database can be successfully attacked. "Our honeypot experiments show that hackers can find and attack unprotected databases like this one within a matter of minutes. It's more than likely that hackers already got in and stole the data. EV drivers should be on the lookout for targeted phishing messages from cybercriminals posing as Shell or a related company. The messages may use personal information from the database to make themselves more convincing. Never click on links or attachments in unsolicited emails!"
University of Manchester discloses cyberattack.
BBC News reports that the University of Manchester, located in northern England and one of the largest schools in the UK, suffered a cyberattack in which an unauthorized party may have copied some university data. An investigation is underway, and the university's chief operating officer Patrick Hackett said, “Our priority is to resolve this issue and provide information to those affected as soon as we are able to, and we are focusing all available resources." While Computer Weekly notes that the school says there is no evidence that the incident involves ransomware, BleepingComputer says a source has informed them that it was a ransomware attack. (This source has not been independently confirmed.)
The school has not disclosed exactly which data were accessed, but the University of Manchester is one of the largest schools in the UK, serving more than 45,000 students and employs over 12,000 staff. The Record adds that earlier this year the university launched a “Highly Restricted Data Service” (HRDS) to “support researchers working with commercially sensitive, restricted and/or highly restricted data by keeping their data safe, in particular when it is subject to contractual or regulatory requirements.” It’s unknown whether any HRDS data were accessed in the attack. Relevant authorities, including the Information Commissioner's Office, the National Cyber Security Centre, and the National Crime Agency, have been informed about the incident, and the school has published an FAQ page offering guidance for the university community.
Fortra GoAnywhere ransomware incident affects other victims.
Intellihartx, LLC disclosed a data breach deriving from the GoAnywhere ransomware incident.
Paul Bischoff, Consumer Privacy Advocate at Comparitech, is troubled by the compromise of large numbers of Social Security Numbers. "The frequency of healthcare data breaches that result in hundreds of thousands of stolen Social Security numbers is worrying," Bischoff writes. "The attack on Fortra came on the heels of breaches at NextGen Healthcare, Enzo Biochem, and PharMerica, all of which exposed Social Security numbers. I'm not sure why healthcare companies store SSNs or why they aren't hashed and salted, but if you can't protect them, you shouldn't be storing them. SSNs are the most critical piece of information that identity thieves need to get loans, credit cards, and forms of credit in your name. Our analyses show 108 ransomware attacks cost 2,302 US healthcare organizations $7.8 billion in 2021, while 711 medical data breaches affected 45.4 million patient records in the same year. However, relatively few of these included Social Security numbers. Patients should take advantage of any credit monitoring services being offered for free as a result of the breach. Keep an eye on your credit reports, bank statements, and transaction histories for suspicious activity. Be on the lookout for targeted phishing messages that use information from the breach to be more convincing." (We note that US Social Security Numbers were never intended to serve as a mode of identification. That's all been creep since their Depression-era introduction.)
Erich Kron, Security Awareness Advocate at KnowBe4, points out that Cl0p and other ransomware-as-a-service (RaaS) operations have enjoyed an unpleasant degree of success with phishing emails: "The Clop ransomware/extortion group has certainly caused a stir this year as they exploited the GoAnywhere software vulnerability with nearly reckless abandon. While files were generally not encrypted like in typical ransomware attacks, the theft of data and threat of leaking it publicly has been more than enough to cause issues for victims of these attacks," he writes. "Clop has certainly shown that disrupting operations by encrypting data isn’t necessarily required to force organizations to pay up. Because Clop generally works under a RaaS (Ransomware-as-a-Service) model, leveraging ‘affiliates’ to carry out attacks in exchange for a majority percentage of earnings from attacks, the initial attack vectors can vary, however email phishing generally tops the charts as a favorite approach due to its low cost and high success rate. Because this is the most common attack method, organizations should ensure that employees are educated and trained on how to spot and report phishing and other social engineering attacks. In addition, a robust patching process that allows for quick testing and patching of potentially vulnerable software can significantly reduce the damage bad actors can do in the event they do gain access to a network."
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, sees the incident as more evident of the attractiveness of the healthcare sector as a target. "As we already know, the healthcare industry is an increasingly attractive target for hackers. Unfortunately, as in cases like this, an available emergency patch was available but had not been applied to the affected machines. Organizations should take the time to educate and train their employees as to the risks of opening attachments or clicking on links in unsolicited emails or texts. They should also educate them on how social engineering attacks are used to gain access to systems. They should also review their systems and any possible weaknesses in those systems on a regular basis, updating the systems whenever a patch or an update is available."