Last week news appeared that hackers were exploiting a newly discovered vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to share large files over the internet. The vulnerability allows hackers to gain unauthorised access to an affected MOVEit server's database.

Progress Software, which develops the MOVEit software, has already released some patches. Over the weekend, the first victims of the attacks began to come forward.

Human resources software maker and payroll outfit Zellis confirmed that its MOVEit system was compromised, affecting a "small number" of its corporate customers. One of those customers was British Airways, which saw all its payroll data nicked.

The BBC confirmed it was affected by the incident affecting Zellis and the government of Nova Scotia, which uses MOVEit to share files across departments.

The Nova Scotia government took its affected system offline and is working to determine "exactly what information was stolen, and how many people have been impacted."

Microsoft security researchers attribute the cyberattacks to a group it tracks as "Lace Tempest." This gang is a known affiliate of the Russia-linked Clop ransomware group, previously linked to mass attacks exploiting flaws in Fortra's GoAnywhere file transfer tool and Accellion's file transfer application.

Vole said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration. Mandiant isn't yet making the same attribution as Microsoft, but noted in a blog post over the weekend that there are "notable" similarities between a newly created threat cluster it's calling UNC4857 that has as-of-yet "unknown motivations" and FIN11, a well-established ransomware group known to operate Clop ransomware.

"Ongoing analysis of emerging activity may provide additional insights. It's likely many more victims of the MOVEit breach will come to light over the next few days," Mandiant said."