Payroll Provider Zellis Falls Prey to MOVEit Transfer Breach
Zellis, a payroll provider in the UK and Ireland, and some of its customers have been affected by the exploitation of a zero-day vulnerability in the MOVEit file transfer tool. The vulnerability (CVE-2023-34362) was discovered on May 31 and can grant escalated privileges and unauthorized access, potentially leading to data exfiltration and monetization through dark web markets and ransomware. Eight Zellis customers have been impacted, including BBC, Boots, British Airways, and Aer Lingus. A security patch is now available to address the vulnerability, and companies are urged to download it and search for signs of unauthorized access. Enterprises should be aware of third-party risk, as vendor cybersecurity is just as important as an organization's internal cybersecurity. In 2022, 63 third-party breaches led to 298 cascading data breaches. To mitigate third-party risk, companies should review contracts to ensure vendors have appropriate security standards and stay active within their industry to learn about emerging threats. While due diligence can reduce third-party risk, zero-day flaws are difficult to detect due to their novelty. Regulation may shift more responsibility onto vendors in the future, as seen in the United States National Cybersecurity Strategy. Malware: Clop(Linux), Clop, Clop(Windows) CVEs: CVE-2023-34362 [View Article](https://www.informationweek.com/security-and-risk-strategy/payroll-provider-zellis-falls-prey-to-moveit-transfer-breach-)