© 2025 Cyber Red Cell

Massive MOVEit leaks: Possibly 1000+ companies get their data leaked

November 12, 2024 | 00:00

Back in May 2023, MOVEit was the victim of a Russian based ransomware group called Cl0p. This group is also known as (or overlaps with):

  • TA505 (Proofpoint)
  • Graceful Spider (CrowdStrike)
  • Gold Evergreen (SecureWorks)
  • Gold Tahoe (SecureWorks)
  • TEMP.Warlock (FireEye)
  • ATK 103 (Thales)
  • SectorJ04 (ThreatRecon)
  • Hive0065 (IBM)
  • Chimborazo (Microsoft)
  • Spandex Tempest (Microsoft)
  • FIN11 (FireEye)
  • DEV-0950 (Microsoft)
  • G0092 (Mitre)
  • Lace Tempest (Microsoft)

They used a zero-day vulnerability (CVE-2023-34362) to breach the MOVEit systems. This SQL injection vulnerability was used to gain unauthorized access to files stored on the system, meaning they could steal data from any organization using MOVEit. This is one of the biggest supply chain breaches known so far.

Cl0p information, source: SOCRadar.io

The news was that hundreds of companies were affected, amongst them companies in the aerospace industry, airlines, government organizations, health care institutes, universities, banks, telecom providers, etc. The list seemed endless as you can see on KonBriefing.

These companies were using MOVEit , and in the breach Cl0p exfiltrated confidential data from employees, customers and any perhaps other data of companies used MOVEit by accessing other systems through the software.

Graceful Spider, source: CrowdStrike

So what’s new?

On November 11, news broke that an individual called Nam3Less (or Nam3L3ss) was releasing data on a well known cyber crime forum. At the moment of writing, at least 20+ companies have their employee data leaked. Examples of companies that are currently available for download are: Amazon, Delta Airlines, Lenovo and 3M:

List of companies that have data available for download

Who is Nam3L3ss?

Who Nam3L3ss exactly is, is unknown at this point. Will we ever find out? Only time will tell. So what do we know right now.

According to Nam3L3ss, he’s not a hacker and got the data through downloading it:

Nam3L3ss info from BreachForums

Whether or not this is true, the data that is currently offered through this forum seems to be legit. Amazon confirms that the 2.8 million records are indeed stolen through a compromised “third-party property management vendor“. So with the assumption that the Amazon data is legit, it’s easy to say that the other data sets might be real as well.

He also posted his manifesto on the same forum:

Nam3L3ss’ manifesto

When you read his manifesto, it almost feels like he’s (pretending to be) an activist by mentioning “We live in a digital world, time to make it secure for the generation to come!”. Nam3L3ss also references this article where the city of Columbus, Ohio is suing a security researcher named Connor Goodwolf for researching a cyberattack on the city and spreading this information.

For now, it’s still unsure if Nam3L3ss is part of the Cl0p ransomware group, or he’s indeed a security researcher.

What’s the impact?

The impact of the leaks will be clear in the days and weeks to come, but you can depend on it that it will be significant. The amount of employee records ranges from 3.295 records for McDonalds, to 2,861,111 records for Amazon, according to infostealers.com.

The post in which McDonalds is mentioned

These datasets can be used for (spear)phishing, but it could also impact the personal safety of employees, if the datasets contain any other information than just business related information. For companies it might also have vast consequences due to the sensitive nature of the information.

The post in which Delta Airlines is mentioned

Impacted companies will try to find out who Nam3L3ss is, but law enforcement will be involved as well. In Nam3L3ss’ manifesto it’s also mentioned that the plan is to release data on police informants. So next to arresting Nam3L3ss for releasing the data, there’s also something on the line for law enforcement agencies and their informants (maybe even their life).

For now, Nam3L3ss also mentions that another 1.000 releases are coming:

More releases are announced

Conclusion

Supply-chain attacks like this proved to be a great risk back in 2023, but it proves that “everything that is posted on the internet will remain there forever” (a bit exaggerated, but you get the point). More than 1.5 years after the breach, the data is being posted while the news faded away for most of us.

This is clear evidence on why you should protect yourself and your organization against cyber crime and cyberattacks. Leaking data will pose an ongoing risk not only for companies, but also for individuals. Based on the type of data leaked, it can impact their (physical) security and financial future.

From that point of view, the point Nam3L3ss is trying to make is great. We should collectively take care of the next generations by taking action now, and make sure data is better secured across the board. The industry has been trying to do this for years, and we still don’t succeed in doing this. So maybe a bigger statement like this brings the point across, but on the other hand, it’s a decision with a big impact that might have consequences beyond what we can see today.

Disclaimer

This post is for informational purposes only, and we are not liable for any loss or damage resulting from its use.

Also: don’t be a skiddie, or an a-hole, and stay vigilant!

Tags:

Previous
Next

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2025 Cyber Red Cell. Created with ❤ using WordPress and Kubio