MOVEit Transfer: Stolen data from Amazon and Co. is for sale

Data from employees of large and well-known companies is available for purchase in the digital underground. The companies affected include Amazon, HP, HSBC, Lenovo and others.

The data was posted on the breach forum by the user account "Nam3l3ss" at the weekend. This was first reported on X by the IT security company Hudson Rock. It was there that the malware scene observers from vx-underground came across the data publication.

The malicious actor or actors behind the "Nam3l3ss" account are offering data from employees of possibly more than a thousand other companies in the underground forum, including tens of large and close ones. vx-underground lists companies including 3M, Amazon, Applied Materials (AMAT), British Telecom (BT), Canada Post, Cardinal Health, City National Bank (CNB), Delta Airlines, Fidelity, HP, HSBC, Leidos, Lenovo, McDonald's, TIAA, Union Bank of Switzerland (UBS), U.S. Bank and Westinghouse.

The security experts at vx-underground have confirmed that Amazon and HSBC have been compromised. Based on the examined data, it can be deduced that the data originates from around May 31, 2023. However, "Nam3l3ss" also openly writes this in the "offer" in the data theft forum. The data does not appear to contain any customer information. According to the underground forum entry, the Amazon data includes names, cost center numbers, personnel numbers, cost centers, telephone numbers, email addresses, job title, city, information on supervisors and the like. Amazon informed heise online that the data was stolen from a property management company and also affected other of its customers and that the security gap has already been closed there.

Employee data increases the risk of spear phishing

According to the report, the data tends to be HR or accounting-related and is therefore not "mission-critical". However, as it exposes internal company information such as employees, building plans or costs, it poses a risk. Attackers can misuse this information for targeted spear phishing, for example, in order to gain the trust of their victims more quickly.

It remains unclear how "Nam3l3ss" obtained the data. In the context of the Amazon data records, for example, the account mentions the Cl0p ransomware gang, which abused the MOVEit transfer vulnerabilities on a large scale to steal data from numerous companies during the period mentioned.

At the beginning of June last year, it became known that attackers were leaking data via a MOVEit transfer vulnerability. Initial updates were available, but it took several attempts to seal the gap correctly. A cyber gang known as Cl0p used this to extract extensive data from many companies. These included large and well-known companies such as EY, PWC, Schneider Electric and Siemens Energy.

(dmk)