Burlington-based Progress Software discovered a critical security flaw in one of its products last week. Unfortunately, a gang of cybercriminals discovered it first. And now companies are scrambling to repair the damage.
Progress warned its customers last Tuesday that it had discovered the flaw in its MOVEit software, which is used by companies to swap large amounts of data between servers.
Such flaws are not uncommon. Companies often detect and repair them before cyber criminals exploit them. But not this time. Soon after Progress made its announcement, cybersecurity companies including Boston-based Rapid7 reported that online criminal gangs were already using the security flaw to steal data.
“We have detected attacks going as far back as May 27,” said Caitlin Condon, Rapid7′s senior manager of security research.
According to a document filed by Progress with the US Securities and Exchange Commission, a Progress customer warned of a problem on May 28. The company spent two days confirming the warning, then notified customers on May 30. But that left the criminals plenty of time to steal large quantities of information.
“We have had multiple cases where several gigabytes of data have been taken,” Condon said.
As of Tuesday afternoon, there were no reports of major US companies being affected by the MOVEit flaw. But several news agencies have reported that a UK payroll processing company called Zellis was breached and that at least three Zellis customers — the BBC, the pharmacy chain Boots, and British Airways — have warned their employees that their personal information may have been stolen. In addition, the government of the Canadian province of Nova Scotia has said that it’s been hit by a MOVEit attack.
A Progress Software spokesperson said the company immediately alerted its customers about the threat and has patched the software to eliminate it.
A notorious cybercriminal gang called “Clop” has claimed responsibility for the data theft. The gang is believed to be based in Russia and specializes in attacking file transfer programs, which can provide access to huge amounts of sensitive information if successfully breached.
Clop has claimed responsibility for an attack in February on a file transfer company called Fortra and a similar 2020 attack on another file transfer company called Accellion. Both of these little-known companies provide services to giant firms, including consumer products company Procter & Gamble, supermarket chain Kroger, and energy company Shell.