Security researchers are sounding the alarm after hackers were caught exploiting a newly discovered vulnerability in a popular file transfer tool used by thousands of organizations to launch a software supply chain cyberattack.
The hack exploited an unknown weakness in a supposedly secure piece of file-transfer software, highlighting the growing vulnerability of many companies to sophisticated cyber attacks targeting flaws along their software supply chain.
Security researchers have linked Lace Tempest, an affiliate to the notorious Russian-speaking Clop ransomware gang to attacks that have so far compromised the personal data of tens of thousands of employees at some of Britain’s biggest companies.
Hackers are exploiting a vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to share large files. The vulnerability allows hackers to gain unauthorized access to an affected MOVEit server’s database. A unit of the U.S.’s Progress Software, which develops the MOVEit software, has already released some patches.
Victims of the attacks include Zellis, a U.K.-based human resources software maker and payroll provider which serves nearly half of FTSE 100 companies. Corporate users of Zellis –were in turn compromised, giving hackers access to the personal data of those organization’s employees. The victims include employees of British Airways, the BBC, the University of Rochester, Boots, Aer Lingus, and the provincial government of Canada’s Nova Scotia.
The Financial Times reported that the BBC, the UK national broadcaster with about 20,000 workers, and Boots, the pharmacy retailer that employs more than 50,000, alerted staff to the potential breach which affected their names, dates of birth and National Insurance numbers. British Airways, which in 2020 was fined £20 million for leaking customer data, told the Financial Times it would “provide support and advice” to relevant staff.
The hacking group wants the people it has targeted to email it before June 14 or it will publish their payroll information, reports Quartz.The Clop group wants to monetize the data in its hands and companies should avoid falling into its trap by sending them emails, Ciaran Martin, a cyber security expert who helped set up UK’s National Cyber Security Center, said during a BBC Radio 4 interview.
The consequences of a software supply chain attack can be severe, notes the U.S.’s Cybersecurity and Infrastructure Security Agency (CISA). First, threat actors use the compromised software vendor to gain privileged and persistent access to a victim’s network. By compromising a software vendor, they bypass perimeter security measures like border routers, firewalls, etc., and gain initial access. While gaining initial persistent access can be relatively indiscriminate, CISA says hackers will often be more selective in choosing which victims they target for follow-on actions which often start when the threat actor injects additional tailored malware packages into a chosen target. Depending on the threat actor’s intent and capability, this additional malware may allow the threat actor to conduct various malicious activities that may include performing data or financial theft, monitoring organizations or individuals or disabling networks or systems. Due to the difficulty of mitigating consequences after a software supply chain attack occurs, CISA advises organization to observe industry best practices before an attack has occurred.
IN OTHER NEWS THIS WEEK
Nvidia’s AI Software Tricked Into Leaking Data
The Financial Times reported that a feature in Nvidia’s artificial intelligence software can be manipulated into ignoring safety restraints and reveal private information, according to new research. Nvidia has created a system called the “NeMo Framework” which allows developers to work with a range of large language models — the underlying technology that powers generative AI products such as chatbots. The chipmaker’s framework is designed to be adopted by businesses, such as using a company’s proprietary data alongside language models to provide responses to questions — a feature that could, for example, replicate the work of customer service representatives, or advise people seeking simple healthcare advice. Researchers at San Francisco-based Robust Intelligence found they could easily break through so-called guardrails instituted to ensure the AI system could be used safely. After using the Nvidia system on their own data sets, it only took hours for Robust Intelligence analysts to get language models to overcome restrictions. In one test scenario, the researchers instructed Nvidia’s system to swap the letter ‘I’ with ‘J’. That move prompted the technology to release personally identifiable information, or PII, from a database. The researchers found they could jump safety controls in other ways, such as getting the model to digress in ways it was not supposed to.
Nuclear Technology Company Newcleo Acquires Two Companies
Newcleo, a nuclear technology company developing Generation IV reactors that use nuclear waste as fuel, has an agreement to purchase in full S.R.S. Servizi Ricerche e Sviluppo (SRS), and Fucina Italia (Fucina), according to a press release.
Both based in Italy, SRS and Fucina jointly work in the energy and nuclear engineering sector. SRS focuses on the design and engineering of nuclear systems, and Fucina on the manufacturing of these systems. SRS holds a 30% stake in Fucina. The businesses are worldwide leaders in the design and building of nuclear systems deploying liquid lead technology, the technology at the heart of newcleo’s innovation.
This acquisition is a step change for newcleo only 20 months since its launch. SRS-Fucina Group, which employs more than 110 people, will provide outstanding capabilities for nuclear engineering, manufacturing and waste management, helping to boost the delivery of the newcleo vision based on innovative Lead Fast Reactor (LFR) technology and the use of MOX as fuel. Under newcleo’s ownership, SRS-Fucina Group will continue to serve its blue chip customer base and generate revenue, whilst becoming integral to the delivery of newcleo’s ambitious plans. newcleo is preparing a multi-million investment plan to expand the acquired group’s know-how, facilities. and skilled employees, to support its overall development program, and to continue to deliver specialized components and systems in the growing nuclear energy market.
To access more of The Innovator’s News In Context articles click here.