MY TAKE: Will companies now heed attackers’ ultimatum in the MOVEit-Zellis supply chain hack?

By Byron V. Acohido

The cybersecurity community is waiting for the next shoe to drop in the wake of the audacious MOVEit-Zellis hack orchestrated by the infamous Russian hacking collective, Clop.

Related: SolarWinds-style supply chain attacks on the rise

Clop operatives went live last week with an unusual ultimatum —  written in broken English and posted in a Dark Web forum —  giving the victimized organizations a June 14th deadline to make direct contact with them under threat of having sensitive stolen data made public.

The hackers took advantage of a SQL injection vulnerability – known as CVE-2023-34362 – that, left unpatched, leaves a path for an intruder to gain access to assets like MOVEit’s Transfer database.

Security strategist Delilah Schwartz of Cybersixgill, a Tel Aviv-based threat intelligence firm, noted that depending on the database engine being used, for instance, MySQL, Microsoft SQL Server or Azure SQL, an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements.

“These attacks are a glaring illustration of the imminent dangers we face in the cyber threat landscape,” Schwartz said.

“It is alarming to realize that while the current perpetrators are associated with a highly advanced cybercriminal operation, a widely circulated proof-of-concept (PoC) could allow less experienced actors to replicate this attack by exploiting additional exposures from this vulnerability in the wild,” she added.

Post SolarWinds

This is a prime example of what multi-stage supply chain hacks have morphed into two years after the milestone SolarWinds hack. The nefarious Clop gang initially compromised MOVEit, which provided them a beachhead to gain access to Zellis, a UK-based supplier of payroll services. Breaching Zellis then gave them a path to Zellis’ customer base.

Cybersixgill’s analysts have been monitoring escalating activity in the underground related to the MOVEit flaw. On several Russian cybercrime forums, Schwartz says, there have been requests to acquire payroll-related data stolen from Zellis’ customers.

For instance, Cybersixgill’s security analysts observed a member from a leading dark web forum offering up to $100,000 for data from UK-based victims of the MOVEit attacks. The member’s intended use of the data remained unclear but suggested the formation of a team dedicated to leveraging UK-sourced data, she says.


Schwartz observed, “The member seems to be an experienced and reputed threat actor with a history on the forum dating back to 2020. They have shown interest in various cybercriminal activities, including ransomware, carding, bots, sim card swaps, stolen databases, remote access trojans (RATs), and information stealers.”

She added, “If a proof-of-concept for CVE-2023-34362 eventually surfaces in the underground, the fallout could be disastrous. We are already witnessing a surge of interest in the MOVEit PoC following the wave of Zellis-related attacks.”

It’s not a time to panic, security experts say.  However, the MOVEit – Zellis hack does serve as a glaring reminder of the need for companies to make effective vulnerability management a high priority. This is because this latest attack reinforces the motivation for hacking collectives, like Clop, to increasingly target software supply chain hubs, like MOVEit and Zellis.


“These are attractive targets for attackers because they are a multiplier for their efforts,” observes James Watts, Managing Director, at Databarracks, supplier of cloud continuity solution. “A single breach gets into numerous organizations and provides multiple avenues for ransom.”

Companies would do well to meticulously audit their software supply chains and purposefully embrace best security practices. “The first place to start is to understand your risks,” Watts says. “That means identifying the sensitivity of the data your suppliers hold, and knowing who your suppliers are and what risks they pose.”

Oz Alashe, CEO of CybSafe, which supplies a human risk management platform, argues that proactive human collaboration is a vital component.


“People are the first and last line of defense in protecting a company’s data, and organizations should give them the tools to be part of the solution,” Alashe says. “We will make significant improvements by targeting the specific security behaviors that leave individuals vulnerable to attack and addressing them through positive cooperation.”

How much will Clop ultimately plunder? I’ll keep watch and keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone