Data on as many as 100,000 Nova Scotia healthcare staff stolen in MOVEit breach

Share post:

Data on at least 100,000 employees in Nova Scotia’s healthcare sector were stolen as the result of the vulnerability in Progress Software’s MOVEit file transfer application, the province said Tuesday. 

Data stolen includes Social Insurance numbers, addresses and banking information of employees of Nova Scotia Health, the public service and the IWK Health Centre, which is a major pediatric hospital and trauma centre.

The provinces uses MOVEit for transferring payroll information. It has begun notifying victims.

The Clop/Cl0p ransomware gang told BleepingComputer it is behind the MOVEit Transfer data-theft attacks. For infosec teams running Microsoft’s Defender Threat Intelligence service, Microsoft calls this group Lace Tempest.

According to the BBC, other victims include the BBC, British Airways, British pharmacy chain Boots and Irish airlines Aer Lingus.

The SQL injection zero-day vulnerability was announced by Progress Software on May 31. Researchers at Mandiant think the earliest evidence of exploitation occurred on May 27, resulting in the deployment of web shells and data theft. In some instances, the researchers say, data was stolen within minutes of the deployment of web shells.

The vulnerability is known as CVE-2023-34362.

In the past two and a half years, hackers have exploited holes in file transfer applications including GoAnywhere MFT, IBM’s Apera Faspex and Accelion FTA.

Many researchers say IT departments who either didn’t install the patch immediately or were using unaffected versions of the on-premises or cloud version of MOVEit should assume their systems have been compromised.

Researchers at Huntress Labs said as of Jun. 1, a scan of the web using the Shodan search engine suggested there were over 2,500 servers publicly available on the open internet.

Huntress researchers created an exploit that allowed it to receive shell access with Meterpreter, escalate to Windows’ NT AUTHORITY\SYSTEM and detonate a Cl0p ransomware payload. “This means that any unauthenticated adversary could trigger an exploit that instantly deploys ransomware or performs any other malicious action,” the researchers conclude. “Malicious code would run under the MOVEit service account user moveitsvc, which is in the local administrators group.  The attacker could disable antivirus protections, or achieve any other arbitrary code execution.”

Researchers at CrowdStrike say the webshell created by an attacker will utilize an existing user account with permission level “30” or a new randomly generated username to establish a persistent session within the MOVEit application. Their blog has instructions on how infosec teams can investigate a possible compromise.

The stolen data could be used for social engineering attacks or ransom, noted Tim West, head of threat intelligence at WithSecure. He noted that British Airways said payment information of its employees was stolen, but organizations should expect the bulk of data to be ransomed and/or uploaded to a leak site.

The post Data on as many as 100,000 Nova Scotia healthcare staff stolen in MOVEit breach first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, April 24, 2024 – Good news/bad news in Mandiant report, UnitedHealth admits paying a ransomware gang, and more

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and passw

Google Play introduces new biometric verification with a user warning

Google has recently announced updates to the biometric verification process for Google Play purchases, aiming to bolster security...

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways