Data on as many as 100,000 Nova Scotia healthcare staff stolen in MOVEit breach

Data on at least 100,000 employees in Nova Scotia’s healthcare sector were stolen as the result of the vulnerability in Progress Software’s MOVEit file transfer application, the province said Tuesday. 

Data stolen includes Social Insurance numbers, addresses and banking information of employees of Nova Scotia Health, the public service and the IWK Health Centre, which is a major pediatric hospital and trauma centre.

The provinces uses MOVEit for transferring payroll information. It has begun notifying victims.

The Clop/Cl0p ransomware gang told BleepingComputer it is behind the MOVEit Transfer data-theft attacks. For infosec teams running Microsoft’s Defender Threat Intelligence service, Microsoft calls this group Lace Tempest.

According to the BBC, other victims include the BBC, British Airways, British pharmacy chain Boots and Irish airlines Aer Lingus.

The SQL injection zero-day vulnerability was announced by Progress Software on May 31. Researchers at Mandiant think the earliest evidence of exploitation occurred on May 27, resulting in the deployment of web shells and data theft. In some instances, the researchers say, data was stolen within minutes of the deployment of web shells.

The vulnerability is known as CVE-2023-34362.

In the past two and a half years, hackers have exploited holes in file transfer applications including GoAnywhere MFT, IBM’s Apera Faspex and Accelion FTA.

Many researchers say IT departments who either didn’t install the patch immediately or were using unaffected versions of the on-premises or cloud version of MOVEit should assume their systems have been compromised.

Researchers at Huntress Labs said as of Jun. 1, a scan of the web using the Shodan search engine suggested there were over 2,500 servers publicly available on the open internet.

Huntress researchers created an exploit that allowed it to receive shell access with Meterpreter, escalate to Windows’ NT AUTHORITY\SYSTEM and detonate a Cl0p ransomware payload. “This means that any unauthenticated adversary could trigger an exploit that instantly deploys ransomware or performs any other malicious action,” the researchers conclude. “Malicious code would run under the MOVEit service account user moveitsvc, which is in the local administrators group.  The attacker could disable antivirus protections, or achieve any other arbitrary code execution.”

Researchers at CrowdStrike say the webshell created by an attacker will utilize an existing user account with permission level “30” or a new randomly generated username to establish a persistent session within the MOVEit application. Their blog has instructions on how infosec teams can investigate a possible compromise.

The stolen data could be used for social engineering attacks or ransom, noted Tim West, head of threat intelligence at WithSecure. He noted that British Airways said payment information of its employees was stolen, but organizations should expect the bulk of data to be ransomed and/or uploaded to a leak site.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Featured Tech Jobs

 

CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.