The pain from the MOVEit file-transfer vulnerabilities keeps spreading for organizations that use the service and their customers.
More than 1,000 organizations have been impacted by Clop’s mass exploitation of a zero-day vulnerability that Progress Software first disclosed in late May, according to threat analysts and researchers. Five additional vulnerabilities in the file-transfer service have subsequently been discovered.
MOVEit is an approved and accredited file-transfer service that meets regulatory compliance requirements for multiple government agencies and highly regulated industries. These auditor and government-backed certifications made it a widely used service for organizations with sensitive data.
Some of the world’s largest financial institutions, law firms, insurance providers, healthcare firms, education service providers and government agencies have been hit by this slow-moving disaster.
Many organizations have been impacted due to their direct use of MOVEit while others have been exposed as a result of third-party vendors’ use of the file-transfer service, including the National Student Clearinghouse, PBI Research Services, TIAA and Zellis.
The spree of attacks against MOVEit mark the third actively exploited zero-day vulnerability currently linked to a file-transfer service this year. The financially motivated Clop ransomware group is responsible for two of these supply-chain attacks, including a zero-day vulnerability in Fortra’s GoAnywhere file-transfer service the group exploited in March.
The third file-transfer service attacked this year involves a vulnerability in IBM Aspera Faspex that threat actors were still exploiting in late March, almost four months after a patch was first made available.
Clop was also responsible for the zero-day exploit driven campaign against the Accellion file-transfer devices in 2020 and 2021.
Prior to Clop’s latest spree of attacks, the Cybersecurity and Infrastructure Security Agency and the FBI estimated the threat actor group has compromised more than 3,000 U.S.-based organizations and 8,000 organizations based elsewhere.
Cybersecurity experts expect further damage to come.
How the MOVEit mess unfolded
Progress received a call over Memorial Day weekend from a customer alerting the company to unusual activity in their MOVEit environment.
Progress disclosed a zero-day vulnerability in MOVEit, impacting all on-premises and cloud-based versions of the widely used file-transfer service.
The actively exploited SQL injection vulnerability allowed threat actors to escalate privileges and gain unauthorized access to customer environments.
The vendor said it issued a patch for on-premises versions of MOVEit and patched cloud test servers.
Multiple threat intelligence firms shared evidence of active exploits of the zero-day vulnerability and indicators of compromise.
“Mass exploitation and broad data theft has occurred over the past few days,” Mandiant Consulting CTO Charles Carmakal said in a statement.
Progress said it’s “extremely important” for all MOVEit customers to immediately apply mitigation measures, including disabling all HTTP and HTTPs traffic to MOVEit environments.
The actively exploited vulnerability was assigned CVE-2023-34362 with a severity rating of 9.8 out of 10.
Researchers at Censys said they observed more than 3,000 MOVEit hosts exposed to the internet before the first vulnerability was disclosed or patched.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in an alert.
An initial wave of victims started coming forward, disclosing breaches linked to the exploited vulnerability, including British Airways, the BBC and the government of Nova Scotia.
Progress repeatedly declined to say how many companies were using MOVEit when the zero-day vulnerability was initially discovered. The company estimates MOVEit Transfer and MOVEit Cloud accounted for less than 4% of its annual revenue, according to an 8-K filed with the Securities and Exchange Commission.
Multiple customers of Zellis, a payroll provider compromised by the MOVEit zero-day vulnerability that services hundreds of companies in the U.K. were impacted. “We can confirm that a small number of our customers have been impacted by this global issue and we are actively working to support them,” a Zellis spokesperson said in a statement.
The period of active exploitation prior to discovery remained a moving target, as security researchers uncovered previously unknown attacks linked to the SQL injection vulnerability and subsequently discovered vulnerability.
“Trustwave has seen activity of source IPs recently exploiting the MOVEit application since at least February,” Spencer Ingram, Trustwave’s SVP of operations, said via email.
Huntress recreated the attack chain exploiting the vulnerability in MOVEit, asserting the webshell indicator of compromise previously shared by Progress and security researchers is not necessary to compromise the software. This would later be identified as a series of subsequently discovered vulnerabilities.
Clop, also known as TA505, published a statement on its dark web site claiming to have exploited the MOVEit vulnerability to exfiltrate data from hundreds of organizations.
Clop set a June 14 deadline for victims to contact the group and begin negotiations.
Mandiant also attributed the attacks to Clop, a group it identifies as FIN11, and published a 34-page containment and hardening guide for MOVEit customers.
Within a week of Progress’ initial disclosure, CISA, CrowdStrike, Mandiant, Microsoft, Huntress and Rapid7 were all assisting the company with incident response and ongoing investigations.
PBI Research Services, a third-party vendor that uses MOVEit and helps many large enterprises search databases, informed some of its customers about an extensive compromise linked to the MOVEit attacks. The breach of PBI’s systems exposed millions of customer files to theft.
“PBI Research Services uses Progress Software’s MOVEit file-transfer application with some of our clients. At the end of May, Progress Software identified a cyberattack in their MOVEit software that did impact a small percentage of our clients who use the MOVEit administrative portal software resulting in access to private records,” a PBI spokesperson said in a statement.
CISA and the FBI released a joint advisory to share recommendations for organizations at risk of compromise.
“Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks,” federal authorities said.
Risk analysis firm Kroll pushed the timeline for the now-exploited vulnerability dating back years, with its assertion Clop knew about and was experimenting with ways to exploit one of the vulnerabilities in MOVEit as early as July 2021.
Progress corroborated Huntress’ findings about a series of newly discovered SQL vulnerabilities in MOVEit. The company issued a patch for the new vulnerabilities and said there was no evidence the vulnerabilities had been exploited.
The new SQL injection vulnerabilities in MOVEit were assigned CVE-2023-35036 with a severity rating of 9.1.
"Cybersecurity experts and potential victims were on high alert as the initial deadline set by Clop expired.
Clop, which bills itself as one of the top organizations offering "after-the-fact penetration testing," made good on its threat and named a dozen victim organizations on its data-leak site.
Progress disclosed and released a patch for a new MOVEit vulnerability, the company said in an advisory, marking the third since Progress disclosed an actively exploited zero-day vulnerability two weeks prior.
The vendor encouraged all MOVEit customers to immediately address the new privilege escalation vulnerability, CVE-2023-35708, including measures to disable all HTTP and HTTPs traffic to MOVEit environments.
“At this time, we have not seen indications that this new vulnerability has been exploited,” a MOVEit spokesperson told Cybersecurity Dive in an emailed statement.
The advisory came just after officials from the CISA disclosed a “small number” of federal agencies were impacted by the campaign, which CISA attributes to the Clop ransomware gang.
“Although we are very concerned about this campaign and working on it urgently, this is not a campaign like SolarWinds that presents a systemic risk to our national security,” CISA Director Jen Easterly said on a press call.
“As far as we know, these actors are only stealing information that is specifically stored on the file-transfer application at the precise time that the intrusion occurred,” Easterly said.
At the time, Emsisoft Threat Analyst Brett Callow said there are 63 known and confirmed victims, plus an unspecified number of U.S. government agencies.
The U.S. State Department offered a $10 million bounty related to information on the Clop ransomware group, after records from at least two of the department’s entities were compromised.
Researchers at Reliaquest said they observed “the first possible instance of leaked data after one named organization apparently refused to engage in negotiations, according to the Clop site.”
Clop simultaneously leaked data and publicly named an organization, marking the second instance of a data leak related to the MOVEit exploits, according to Reliaquest.
The California Public Employees’ Retirement System, the largest pension system in the U.S., confirmed the personal data of about 769,000 members was exposed and downloaded in connection to the PBI breach.
The MOVEit attack campaign victim count rose to more than 100 organizations, Callow told Cybersecurity Dive via email.
Clop claimed to have leaked data stolen from 17 of its alleged victims to date, according to Reliaquest.
Progress reported nearly $1.5 million in cyber incident and vulnerability response expenses during its fiscal second quarter, which ended May 31, and said it expects to incur additional expenses in future quarters.
“We’ve been taking this issue very seriously,” Yogesh Gupta, president and CEO at Progress, said during the company’s earnings call, according to a Seeking Alpha transcript.
“While working through an issue of this nature, it’s important not to speculate broadly or prematurely but rather focus on the task at hand, doing what we can to protect our customers against the ongoing threat of cybercriminals,” Gupta said.
The widely exploited vulnerability in MOVEit has impacted nearly 200 organizations to date, according to Callow.
Progress released another update, including security fixes, and said it will consistently release MOVEit product updates every two months going forward.
Progress disclosed three new vulnerabilities in an advisory that details the security fixes it released in the service pack the day prior.
One of the vulnerabilities, CVE-2023-36934, is assigned a severity rating of 9.1. The other two vulnerabilities, a series of SQL injection vulnerabilities assigned to CVE-2023-36932, and CVE-2023-36933, are still undergoing analysis.
This brings the total number of CVEs assigned to MOVEit since initial disclosure to six.
CISA issued an alert, advising MOVEit customers to apply the product updates. “A cyber threat actor could exploit some of these vulnerabilities to obtain sensitive information,” the federal agency said.
Progress claims only one of the six vulnerabilities, the initially discovered zero day, have been exploited.
“To our knowledge at this time, none of the vulnerabilities discovered after the May 31 vulnerabilities have been actively exploited,” a spokesperson told Cybersecurity Dive via email.
“We remain focused on supporting our customers by helping them take the steps needed to further harden their environments, including applying the fixes we have released,” the spokesperson said.
The enterprise software vendor addressed the risk organizations confront across their technology stacks. “The reality today is that sophisticated cybercriminal groups are executing highly complex campaigns at an increasing rate,” the spokesperson said.
“While no one is immune," the spokesperson said, "our goal since learning about the initial vulnerability has been to work to address the security and safety of our customers, including releasing patches in a timely manner, expanding our support services to address customer questions, establishing a steady cadence of update communications and working with third-party security experts to further improve the security of our products and share information that may benefit our customers and the industry as a whole."
More than 300 victim organizations have been identified since Progress was first alerted to malicious activity on a customer’s MOVEit environment. Major organizations are joining the long list of victims every day.
Bert Kondrus, founder and managing director of KonBriefing Research, has been maintaining a list of victims and identified at least 317 organizations impacted by the exploited MOVEit vulnerability to date.
Callow said he’s identified at least 314 victim organizations and noted the PII more than 18 million individuals has been exposed.
“The potential for identity fraud isn’t the only risk, or necessarily even the most serious,” Callow said. “Phishing and business email compromise could be even bigger threats.”
Experts expect the number of organizations and individuals impacted, which includes victims that reported breaches and others named on Clop’s site, will continue to rise.
Nearly 500 organizations and almost 24 million individuals have been exposed by the mass exploit of the MOVEit vulnerability, according to Emsisoft.
The victim count continues to rise from a steady stream of disclosures and more organizations listed on Clop’s leak site. One-quarter of the 286 public disclosures made to date specify the number of individuals impacted, according to Callow.
Clop has listed 206 organizations on its leak site, which means 2 in 5 victims have yet to confirm a compromise via public disclosure notices, Callow said. At least 136 organizations that don’t use MOVEit directly have been exposed via third-party vendors.
The prolific threat actor has leaked data across the dark and clear web it claims to have stolen from multiple companies. Security researchers said threat actors sometimes leak data on the clear web to post the data more quickly and increase pressure on their victims.
Based on the disclosures made to date and the average number of individuals compromised per disclosure, Emsisoft estimates almost 130 million people have been exposed by this widespread attack. The number of victims continues to grow.
The mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals.
The victim pool now represents some of the most entrenched institutions in highly sensitive — and regulated — sectors, including healthcare, education, finance, insurance, government, pension funds and manufacturing.
Yet, the numbers mask a more disastrous outcome that’s still unfolding.
“Without a doubt, they hit one of the juicy parts of the orchard from an information perspective that they’ll continue to monetize and use for attacks in the future,” independent analyst Michael Diamond said via email. “My impression is that this is only going to get worse over time.”
Colorado State University was hit six times, six different ways. The school’s third-party vendors — TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sunlife and The Hartford — all informed the school of data breaches linked to the MOVEit attacks.
Three of the big four accounting firms — Deloitte, Ernst & Young and PwC — have been hit too, putting the sensitive customer data they maintain at risk.
Government contractor Maximus reported one of the worst breaches tied to the MOVEit compromise, after the personally identifiable information of up to 11 million individuals was potentially exposed. The data of more than 600,000 Medicare beneficiaries was exposed as part of the Maximus breach.
The subsequent reach and potential exposure caused by the Clop ransomware group’s spree of attacks against these organizations is vast, and the number of downstream victims is not yet fully realized.
“The scale of the attack and the high-profile victims make the MOVEit campaign arguably the most successful public extortion campaign we have seen to date,” Rick Holland, VP and CISO at Reliaquest, said via email.
Multiple threat intelligence reports concluded Clop was responsible for one-third of all ransomware attacks in July, positioning Clop as the most prolific ransomware threat actor this summer.
The threat actor has compromised more than 730 organizations as part of the MOVEit campaign, according to the figures tracked by Emsisoft and KonBriefing Research.
The MOVEit blast radius reached another milestone in its destructive spread: More than 1,000 organizations have been impacted to date, according to Emsisoft and KonBriefing Research.
The number of organizations hit by the attack increased nearly 40% in a week, underscoring the scope of impact and challenge organizations are encountering as they work to determine potential exposure.
For almost two-thirds of the victims, breaches occurred because their third-party vendors used MOVEit or the vendor’s vendors used the file-transfer service, according to KonBriefing Research.
Many downstream victims were exposed by accounting firms, consultancies and benefits and pension actuaries.
Broad sharing of personal and sensitive data has ensnared victims that would otherwise be unimpacted by Clop’s spree of attacks against MOVEit customers.
The number of organizations impacted by the MOVEit attacks surpassed 2,000 after the National Student Clearinghouse filed a disclosure with California’s Department of Justice linking its previously reported exposure to the MOVEit attacks to almost 900 downstream U.S. universities and colleges.
Clop obtained a trove of personal information held by the NSC, including PII, Social Security numbers, student ID numbers and school records, according to the data breach notice sent to its customers.
As one of the country’s largest providers of educational reporting, data exchange, verification and research services, the organization’s use of MOVEit exposed sensitive data held by hundreds of the largest and most prestigious academic institutions in the U.S., including the University of Arizona and five of eight Ivy League schools.
The disclosure underscores the extent to which many unsuspecting organizations that have no direct link to MOVEit are being entangled by the attacks due to supply chain vendors.
BORN Ontario, a government-run birth registry in the Canadian province, confirmed the data of about 3.4 million people was exposed due to its use of the widely exploited file-transfer service.
Victims include 1.9 million newborns and children and 1.4 million people seeking pregnancy care between January 2010 and May 2023, the agency said in a statement.
Clop stole files continuing personal health information from a large network of healthcare facilities, including PII, health card numbers, lab results, pregnancy risk factors, types of birth, procedures, and pregnancy and birth outcomes.
“At this time, there is no evidence that any of the copied data has been misused for any fraudulent purposes,” BORN Ontario said in a statement. “We continue to monitor the internet, including the dark web, for any activity related to this incident and have found no sign of BORN’s data being posted or offered for sale.”