A critical vulnerability in Progress Software’s MoveIt Transfer software has led to several U.S. government agencies being breached, according to the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday. The flaw, known as CVE-2023-34362, is a SQL injection bug that affects Progress’ managed file transfer software.
The vulnerability was first disclosed on May 31, and since then, numerous organizations, both private and governmental, have reported data breaches resulting from the exploitation of this vulnerability. Victims of these breaches include U.K. HR software provider Zellis, the government of Nova Scotia, and multiple U.S. state governments.
The primary threat actor behind the exploitation of this vulnerability has been identified as “Lace Tempest” by Microsoft. Lace Tempest is associated with the Clop ransomware gang, which has claimed responsibility for attacks on its ransomware leak site. Reports suggest that the gang has been launching opportunistic attacks against a wide range of enterprises using the flaw. The group has also threatened to erase data from government agencies, city services, and police departments. However, cybersecurity experts have advised against taking the word of these cybercriminals seriously.
During a press call on Thursday, CISA Director Jen Easterly confirmed that “several federal agencies” have experienced intrusions through their MoveIt Transfer instances, and CISA is currently providing support to these agencies. Easterly stated that although CISA is urgently addressing the breaches and assessing their impact on U.S. organizations, they haven’t observed any significant impact on the federal civilian executive branch enterprise. The threat activity related to the vulnerability has predominantly been opportunistic.
Easterly emphasized that the attackers are only stealing information stored on the file transfer application during the time of the intrusion. Discussions with industry partners in the Joint Cyber Defense Collaborative indicate that these intrusions are not being used to gain broader access or persistence into targeted systems, nor are they specifically targeting high-value information. Thus, the attack appears to be largely opportunistic in nature.
Regarding the data stolen from U.S. government agencies, Easterly stated that CISA is not aware of Clop actors threatening to extort or release any stolen data. While CISA remains concerned about the campaign, they do not believe it presents a systemic risk to U.S. national security or the nation’s networks.
During the press call’s Q&A session, multiple reporters inquired about the stolen federal network data and the affected U.S. federal organizations. However, a senior CISA official declined to provide further details, including conclusively linking the activity against the U.S. government to the Clop gang.
In response to the situation, a spokesperson for MoveIt Transfer expressed their focus on supporting customers and helping them secure their environments by applying the patches that have been released. The company is actively working with cybersecurity experts to investigate the issue and take appropriate response measures. MoveIt Transfer has engaged with federal law enforcement and other agencies and is committed to playing a leading role in the industry-wide effort to combat increasingly sophisticated cybercriminals who exploit vulnerabilities in widely used software products.
In addition to the existing vulnerability, Progress Software revealed a new critical vulnerability in MoveIt Transfer on Thursday. Tracked as CVE-2023-35708, this flaw pertains to a privilege escalation vulnerability. While technical details about the vulnerability are scarce, Progress has stated that patches are available now.
The exploitation of the CVE-2023-34362 vulnerability has led to significant data breaches affecting multiple organizations, including government agencies. The situation remains a cause for concern, and efforts are underway to address and mitigate the risks associated with the vulnerability.