Hacker using laptop showing cyber attack on payroll provider

BBC, British Airways Among Those Compromised by Supply Chain Cyber Attack on Payroll Provider

Supply chain security is in the news once again as a cyber attack on Zellis, a UK-based payroll provider owned by Bain Capital, has led to the compromise of numerous organizations. Among the biggest names impacted by the attack are the BBC, British Airways and major UK drugstore chain Boots (part of a conglomerate owned by Walgreens).

The attackers, reportedly associated with a ransomware gang, found a way to compromise the MOVEit file transfer software employed by Zellis. MOVEit has since issued a fix for the vulnerability and it does not appear that ransomware was successfully deployed at all of the targets, but some of the companies have reported the theft of sensitive employee personal information that the attackers have threatened to leak.

Zellis cyber attack hits numerous downstream targets

A group called Lace Tempest, the primary team behind cl0p ransomware, took credit for the cyber attack and threatened to leak the stolen information on its dark web site if not paid by June 14.

The cyber attack centers on MOVEit, a commonly used piece of software meant for secure and encrypted managed file transfer in business settings that has been around since 2002. The attackers reportedly uncovered a zero-day vulnerability in the software sometime in the previous three months, and have since been using SHODAN to trawl the internet for vulnerable internet-connected transfer servers. The CVE notes attacks in the wild taking place since May. All versions prior to the patch are impacted.

Alexander Heid, Chief Research Officer for SecurityScorecard, provides further technical insight into how these attacks have unfolded: “Smith and Mound observed netflow data from the impacted Zellis IP ranges, suspected of making large outbound transfers over HTTPS, indicative of a web shell, as well as exfiltration over SSH, to known malicious IP addresses. Their research also uncovered over 2500 exposed MOVEit servers across 790 organizations, several hundred of which exhibited the specific vulnerability. They noted that active scanning and attempted exploitation of the vulnerability continued through at least March 29th, 2023, which is when the exfiltration started for Zellis. This incident highlights the risk that a single vulnerability in widely used third-party enterprise software can pose to the digital supply chain. We recommend removing vulnerable instances of MoveIT from the public internet until a patch is implemented. While MoveIT has since released updates to rectify the vulnerability, this incident serves as a stark reminder of the need for continuous vigilance and proactive measures in cybersecurity, particularly in the realm of third-party vendor risk management.”

A warning was issued and circulated through tech and cybersecurity media on June 2, but the attackers reportedly compromised quite a few organizations prior to there being broad awareness of the issue. The provincial government of Nova Scotia also reported being hit by a similar attack, though the incident is not related to Zellis.

There were likely many more organizations beyond Zellis that were hit by this wave of cyber attacks, but the compromise of the payroll provider has led to the largest amount of downstream attacks on major companies thus far. These companies appear to have been using a standardized payroll system that can contain forms with bank information, National Insurance numbers, home addresses and other personal contact information, but it is not clear if every company that was impacted leaked this full range of information.

For its part, Zellis issued a press release saying that a “small” amount of its customers (eight known thus far, all in the UK and Ireland) were impacted by the cyber attack. These include Irish airline Aer Lingus, Jaguar Land Rover (which is headquartered in Coventry), retail chain Iceland and appliance firm Dyson. There are still few details about what specific data each of the impacted companies lost and what the exact numbers are, but Boots and Aer Lingus have stepped forward to confirm that national insurance numbers were stolen in their breaches. An internal email from British Airways that was obtained by media outlets indicates that banking details were stolen as part of the payroll provider breach.

The payroll provider has hundreds of clients in the UK, so it is possible that more names could emerge. The British and Irish National Cyber Security Centres have both been notified and investigations have been launched into the incident. Camellia Chan, CEO and Founder at X-PHY, notes that Zellit is a decided favorite among the region’s larger companies: “Knowing the colossal impact for global customers and service disruption, threat actors often target these organisations, not just directly but through third party providers, as we have seen here. More worryingly, Zellit – the payroll company suffering from the breach, via data exchange software MOVEit – works with 42 of the FTSE 100 companies, who could soon be informed that their data has also been compromised … All organisations are at risk, and that includes having a weak link in your supply chain. Organisations must do everything in their power to protect themselves against cyber criminals, taking a holistic approach to security. This includes investing in cybersecurity solutions that operate at the hardware layer. By fortifying the area closest to the data, airline companies can guarantee a high level of data protection and ensure that operations remain unaffected, giving peace of mind to the millions of employees and customers relying on their services for international travel.”

UK and Ireland employees await more information about what was stolen from payroll provider

While British Airways appears to have contacted its impacted employees about the cyber attack, others wait to see if the payroll provider compromise may have exposed their sensitive ID or banking details. The total fallout of these incidents is often not worked out for weeks, and sometimes months. If ransomware is deployed, remediation could very well take months; this happened recently with the attack on the UK’s Royal Mail, which left Post Office branches unable to accept certain types of parcels throughout the winter.

At the moment this appears to be a case of data exfiltration and threat to leak by cl0p, however. This has been something of a pattern for the group in recent years, with several other incidents involving targeted attacks on file management and transfer systems. The group attacked Fortra’s GoAnywhere software in January of this year, which resulted in downstream consequences for some 130 clients including the city government of Toronto. And in 2021 it pulled off a major cyber attack against Accellion, compromising Morgan Stanley and the leading US grocery chain Kroger among numerous other targets. It is unknown what the group is attempting to get in ransom from the more recent payroll provider attack, but prior incidents indicate it asks large companies for millions to tens of millions of dollars.

Erfan Shadabi, cybersecurity expert with comforte AG, notes that this is yet another example of the trend of advanced criminal cyber attackers being laser-focused on supply chains and the weakest possible links that will open a door to multiple organizations: “The recent cybersecurity incident involving Zellis and their third-party supplier, MOVEit, underscores the critical security risks that organizations face through their supply chain. Third-party supply chain relationships have become a prime target for malicious actors seeking to exploit vulnerabilities in interconnected systems. This incident serves as a reminder that the security of an organization’s data is only as strong as its weakest link. By relying on external suppliers, organizations expose themselves to potential breaches and data compromises if proper security measures are not in place. To mitigate these risks, organizations must prioritize securing the data itself. While traditional perimeter-based security measures are important, they may not be sufficient in preventing advanced threats originating from third-party suppliers. Organizations, instead, should adopt a data-centric security approach. Also, when selecting business partners, organizations should conduct thorough due diligence to ensure that potential partners have appropriate data security measures in place. Evaluating the partner’s security practices, certifications, and adherence to industry standards can provide crucial insights into their commitment to data protection.”

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, adds: “It’s unfortunate to see so many people affected by this cyberattack. This news demonstrates that the challenges of keeping systems secure go beyond mere firewalls and antivirus software. Securing the supply chain depends on implementing robust cybersecurity measures, such as constant monitoring, insider threat detection, and ongoing education and awareness among users and all staff members. The theft of data from BA and Boots illustrates how organizations depend on software solutions like MOVEit, which underpin their infrastructure and provide an attractive target to cybercriminals, even when they’re not household names. In the end, proactive cybersecurity measures can help guard against cyberattacks, but organizations must also prepare for scenarios where a system vulnerability is exploited and no patch is available yet, such as is the case with zero-day vulnerabilities. This breach serves as a dire reminder that organizations need to remain vigilant and work constantly to identify and mitigate these risks to protect their data and their stakeholders.”