New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward

Progress Software has released another round of patches for its MOVEit products after researchers discovered new vulnerabilities while analyzing the recent zero-day. The news comes just as more organizations hit by the zero-day attack have come forward.

The zero-day affecting the MOVEit Transfer and Cloud managed file transfer (MFT) software, tracked as CVE-2023-34362 and described as an SQL injection issue, has been exploited to steal data from organizations that have been using the product. The flaw started being widely exploited in late May, but new evidence suggests that cybercriminals have been testing it since as early as 2021. 

The attacks were conducted by a cybercrime group known for the Cl0p ransomware operation. The hackers claim to have hit hundreds of organizations, giving them until June 14 to get in touch in order to prevent data stolen from their systems from getting leaked. 

In a new advisory published on Friday, Progress informed customers that it has released patches for new vulnerabilities discovered by cybersecurity firm Huntress, whose researchers have been monitoring attacks involving exploitation of CVE-2023-34362.

The vendor said the new flaws “could potentially be used by a bad actor to stage an exploit”, but noted that currently there is no evidence that they have been exploited in the wild. Both MOVEit Transfer and MOVEit Cloud products are again impacted.  

Huntress has described its findings as “further attack vectors” discovered during its analysis.

CVE-2023-35036 has been assigned to the new vulnerabilities, which have also been described as SQL injection bugs that can be exploited by an unauthenticated attacker to access MOVEit databases.   

At least 100 organizations have been reportedly hit by attacks exploiting the MOVEit zero-day, but the number of victims could be much higher considering that there are as many as 3,000 internet-exposed systems. 

One of the first victims to come forward was UK-based payroll and HR company Zellis. Several major companies using Zellis services were hit, including the airlines British Airways and Aer Lingus, the BBC, and pharmacy chain Boots. 

The Canadian province of Nova Scotia was also among the first to announce that personal information has been breached as a result of the MOVEit hack. The University of Rochester also disclosed a breach in early June.

The latest victims to come forward are government organizations: the Illinois Department of Innovation & Technology (DoIT) and the Minnesota Department of Education (MDE).

Both organizations became aware of the attacks on May 31 and they both took immediate action to secure their servers. 

“DoIT’s investigation is ongoing and the full extent of this incident is still being determined, but DoIT believes a large number of individuals could be impacted,” DoIT said. 

The Minnesota Education Department has determined that 24 files were accessed by hackers. These files contained the information of roughly 95,000 students placed in foster care, including names, dates of birth and county of placement. 

Dozens of other students also had information exposed, including name, date of birth, address, parent name, high school and college transcript information, and the last four digits of the their social security number. 

“To date there have been no ransom demands nor is MDE aware that the data has been shared or posted online. Additionally, no virus or other malware was uploaded to MDE’s hardware systems,” the organization said. 

The Cl0p ransomware operators claim on their website that they will not attempt to extort money from impacted government organizations, including cities and law enforcement agencies. 

“We erased all your data. You do not need to contact us. We have no interest to expose such information,” the hackers wrote. 

American networking solutions provider Extreme Networks also announced being impacted by the MOVEit attack last week. The company is in the process of determining whether customer information has been compromised.

Related: Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery