Ofcom and Minnesota confirmed as breach victims as Progress patches additional MOVEit bug
List of Clop gang's victim grows as new glitches are patched and a PoC exploit is released by researchers
UK telecoms regulator Ofcom and the Minnesota Department of Education in the US are the latest organisations to confirm data breaches as a result of the MOVEit vulnerability.
The news comes as a proof-of-concept (PoC) exploit has been developed for the SQL injection flaw (CVE-2023-34362) and as further vulnerabilities have been discovered in Progress Software's file transfer application.
In a brief statement Ofcom said: "A limited amount of information about certain companies we regulate - some of it confidential - along with personal data of 412 Ofcom employees, was downloaded during the attack."
It added that it had taken "immediate action" to implement security measures and block further use of MOVEit, and that it contacted the companies affected and the authorities.
The Minnesota Department of Education (MDE) said it had received a notification from Progress Software about the CVE-2023-34362 vulnerability on 31st May, coinciding with the release of a patch. On the same day, an external entity accessed 24 files on a MOVEit server belonging to the department.
The files included information from the Minnesota Department of Human Services, from two school districts and from a technical college. Data included the names, dates of birth, and placement details of around 95,000 students in foster care, plus information about eligibility for pandemic-related benefits and further eduction options.
MDE said no financial information was accessed, and added that it has not received any ransom demands or detected the data being shared or posted online. The breach was reported to the relevant authorities.
Clop, the Russian gang behind the attacks claims it has stolen data from hundreds of organisations via the MOVEit bug. Confirmed victims of the ransomware group include the BBC, BA, Boots, Aer Lingus, the Government of Nova Scotia in Canada, the University of Rochester in New York, and Zellis, the HR software provider through which many of the subsequent attacks were launched.
The gang has threatened to start publishing information from its victims if payment is not forthcoming by tomorrow, 14th June.
PoC exploit released by Horizon3
Horizon3 security researchers last week published a PoC remote code execution exploit for the SQL injection bug CVE-2023-34362, which was patched by Progress Software on 31st May.
In a blog post the researchers explain how the attack works, and the indications of compromise that defenders should look for.
Of course, while it produces valuable information, making a PoC exploit public carries the risk of other groups adopting it to attack unpatched MOVEit users.
New MOVEit bugs discovered
Meanwhile, Progress Software has released updates to mitigate additional MOVEit SQL vulnerabilities, collectively tagged CVE-2023-35036..
"Multiple SQL injection vulnerabilities have been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorised access to the MOVEit Transfer database," the company said in an advisory.
"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.
"All versions of MOVEit Transfer are affected by this vulnerability."
MOVEit users are advised to first patch the original vulnerability CVE-2023-34362 and then the new ones, for which a patch was made available on 9th June, as a matter of urgency.