We’re already at the midway point of 2023 and so far there plenty of cyber incidents have hit the headlines. In this blog we take a look at some of the biggest cyber attacks of 2023 (so far).
MOVEit
We kick things off with the most recent hack that has been dominating the headlines and that is the MOVEit hack.
On May 31, 2023, a critical vulnerability was uncovered in the secure managed file transfer (MFT) service provided by MOVEit Transfer platform, developed by Ipswitch, Inc. This platform, widely utilized by eminent companies in various sectors like healthcare, government, finance, and aviation, encrypts files and transfers them using the Secure File Transfer Protocol (SFTP).
The threat actor exploiting this vulnerability is the Russian-based Clop Ransomware group, notorious for its cyber assaults since it first came onto the scene back in February 2019. By June 5, 2023, they had initiated multiple attacks exploiting this Zero-day vulnerability in the MOVEit managed file transfer service. If the affected companies do not comply with their demands by June 14, 2023, they have threatened to expose the stolen information.
The technical specifics of the vulnerability, identified as CVE-2023-34362, reveal that a SQL injection vulnerability in the MOVEit Transfer web application enables unauthorized attackers to access the database. Depending on the database engine (MySQL, Microsoft SQL Server, or Azure SQL), the attacker could access the database's structure and contents, and even manipulate or eliminate database elements.
Among the confirmed victims of this breach is Zellis, a UK-based Payroll service provider. Eight UK organizations that Zellis serves, including the BBC, British Airways, Aer Lingus, and Boots, have reported theft of critical data. Stolen information ranges from home addresses and national insurance numbers to, in certain cases, bank details. As the story unfolds, more companies may find themselves being impacted. Affected organisations have been contacting affected parties with notifications being sent over that their data was leaked.
Ipswitch issued a patch for the MOVEit zero day vulnerability, on May 31 and all organisations using MOVEit are advised to install it as soon as possible. We are likely to see more victims come forward for months and years to come as more organisations discovered they’ve been compromised.
T-Mobile Hacked twice
In January, T-Mobile announced that the personal data from 37 million of its current customers was accessed by a malicious actor in November 2022. According to a regulatory filing, the stolen customer data included names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers, and details regarding customers' wireless carrier services. Critically, no social security numbers, credit card information, government ID numbers, passwords, PINs or financial data were reportedly exposed.
Despite the apparent lack of financial data being compromised, the accessed information could be combined with other stolen or publicly available data, potentially enabling scammers to commit identity theft or fraudulent activities.
The above wasn’t the end of T-Mobiles woes this year, however, as in May the company disclosed that it had experienced a hack that exposed account PINs and other customer data in the company’s second hacking incident of 2023. The breach, which started on February 24 and lasted until March 30, affected 836 customers and was the 9th network intrusion reported since 2018.
9 million AT&T customer records exposed
In March, the telecoms giant AT&T revealed that it had suffered a significant third-party data breach that exposed approximately 9 million customer records. The breach saw customers' first names, wireless account numbers, phone numbers, and email addresses being leaked. Other information such as wireless plan names, due amounts, monthly payments and charges, and minutes used were also exposed. AT&T, however, assured that credit card information, Social Security numbers, account passwords, and other highly sensitive personal data were not revealed.
AT&T identified the breach as a supply chain attack, mostly involving data related to device upgrade eligibility, which was several years old. The breach took place in January, involving an unidentified third-party vendor.
Although the breach did not leak highly sensitive financial data, the exposed information still leaves victims vulnerable to targeted phishing attacks. AT&T customers are advised to adopt stronger password security measures and remain vigilant against unsolicited emails and suspicious account activity.
ESXi vulnerability highlights the importance of patching
In February several CERT teams issued warnings that a large scale ransomware attack had been launched against VMware ESXi virtual machines. More than 2,500 ESXi servers were hit in a widespread campaign that impacted entities including the Supreme Court of Florida.
Despite initial reports attributing the incident to an early 2021 vulnerability, VMware has clarified that there is no evidence of an unknown (0-day) vulnerability being exploited to propagate the ransomware used in these recent attacks.
The fact that so many ESXi users were seemingly failing to patch against severe remote code execution (RCE) vulnerabilities that were already two years old, and were also exposing unpatched servers directly to the internet, raised some scepticism among security researchers. This breach underlines the critical need for keeping systems updated and mitigating risks by not exposing unpatched servers directly to the internet.
In part 2 we take a look at the Royal Mail, JD Sports cyber attacks and one of the largest ever recorded DDoS attacks ever recorded.
If you are worried about any of the threats outlined in this blog or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please Get in touch to find out how you can protect your organisation.
