A critical flaw in Progress Software’s MoveIT Transfer product has led to a series of data breaches, with state governments in Illinois, Minnesota, and Missouri among the growing list of affected organizations. On May 31, Progress Software released a patch for an SQL injection bug in its managed file transfer (MFT) software MoveIt Transfer, tracked as CVE-2023-34362. However, security vendors quickly reported that the critical bug was already being actively exploited by cybercriminals.
Since the disclosure of the vulnerability, numerous organizations have come forward with data breach disclosures. The government of Nova Scotia, Canada, HR software provider Zellis, the BBC, British Airways, and British retailer Boots were among the early victims of the MoveIT flaw. Other organizations such as U.K. broadcast regulator Ofcom, networking vendor Extreme Networks, and multinational accounting firm Ernst and Young also disclosed compromises as a result of the vulnerability. The BBC received confirmation of the data breach from Ernst and Young.
In early June, Microsoft attributed the attacks to a threat actor called “Lace Tempest,” which it linked to the Clop ransomware gang. Clop took responsibility for a campaign against MoveIT customers on its data leak site and threatened to disclose the names of victims if they did not contact the gang by June 14. The gang also claimed that it would erase data belonging to government agencies, city services, and police departments, stating that it had no interest in exposing such information. However, more government entities have recently come forward with MoveIT Transfer-related data breach disclosures.
The Minnesota Department of Education (MDE) announced on Friday that it had suffered a data breach as part of a global cyber-security attack targeting the MoveIt software. The breach occurred when files on a MOVEit server were accessed by an unauthorized external entity. The stolen data included files from two school districts and Hennepin Technical College, containing information about foster care students, students qualifying for Pandemic Electronic Benefits Transfer (P-EBT), students taking PSEO classes at Hennepin Technical College, and students using a particular Minneapolis Public Schools bus route.
Similarly, the Illinois Department of Innovation and Technology (DoIT) confirmed on Friday that it was investigating an attack affecting Illinois’ network. The DoIT’s Infrastructure and Security teams responded promptly to the attack and evicted the attacker within three hours. The department is working with relevant authorities to provide regular updates to the people of Illinois. The State of Missouri’s Office of Administration, Information Services and Technology Division (OA-ITSD) also announced that it was investigating the potential impact of a MoveIT-centric cyber attack.
Emsisoft threat analyst Brett Callow warned that regardless of whether Clop was responsible for these data breaches, public sector bodies should not assume that their data will be deleted. According to Callow, Clop may sell the data, trade it, or use it for phishing. The reason behind Clop’s decision not to extort these bodies remains unclear, but it could be due to having too many victims to handle, avoiding attention from law enforcement, or other factors.
As organizations continue to address the repercussions of the MoveIT Transfer vulnerability, security measures and incident response protocols are being reviewed and strengthened to prevent future breaches. The importance of promptly applying software patches and implementing robust cybersecurity practices is once again underscored by these incidents.