The federal government issues a strong warning about three recently discovered vulnerabilities in the popular MOVEit file transfer software. These vulnerabilities have played a central role in numerous breaches over the past month, leading to significant concerns about data security. The Cybersecurity and Infrastructure Security Agency (CISA) has urged users to take immediate action by reviewing the software’s patches and applying the necessary updates for enhanced security.
Vulnerabilities Uncovered
The MOVEit Transfer software, developed by Progress Software, has recently been found to contain three critical vulnerabilities labeled CVE-2023-36932, CVE-2023-36933, and CVE-2023-36934.
These vulnerabilities, as identified by the Cybersecurity and Infrastructure Security Agency, pose a significant risk of exploitation by cyber threat actors seeking to obtain sensitive information. In particular, CVE-2023-36934, discovered by Guy Lederfein from Trend Micro’s Zero Day Initiative, is classified as a critical vulnerability that allows attackers to gain unauthorized access to or modify the MOVEit database.
Impact and Consequences
The other two vulnerabilities, categorized as high severity, also pose serious risks. They can result in unauthorized access to MOVEit database content or complete software shutdown. These latest vulnerabilities add to the growing list of security issues faced by the MOVEit software since the initial breach in May. Notably, the Clop ransomware group has been targeting victims, with numerous universities, businesses, and government agencies falling victim to the exploits.
Escalation of Victims
The Clop ransomware group has been systematically announcing new victims each week, leading to an alarming increase in the number of affected organizations. Currently, over 230 victims have been identified, including 20 U.S. schools and more than 17.5 million individuals whose information has been compromised. The impact has been particularly severe on entities such as PBI Research Services, the National Student Clearinghouse (NSC), and the Teachers Insurance and Annuity Association of America (TIAA), which act as centralized authorities for information exchange.
Consequences for Educational Institutions
Numerous universities worldwide have reported potential data breaches related to information shared with the NSC and TIAA. These institutions are required by the U.S. Department of Education to utilize the MOVEit software for transmitting information to the NSC, which further shares it with the National Student Loan Data System (NSLDS). Consequently, personally identifiable information, including Social Security numbers and dates of birth, has been compromised.
Fallout for TIAA and PBI Research Services
While several universities initially attributed their exposure to the MOVEit vulnerability to TIAA, it was clarified that TIAA was affected through its association with a third-party vendor called PBI Research Services. This vendor, widely used for death auditing and beneficiary location services, has also been implicated in data breaches affecting massive state pension funds such as California’s Public Employees’ Retirement System (CalPERS). TIAA reassured customers that no information was obtained from its systems and that affected individuals would receive free credit monitoring.
Legal Action and Accountability
Progress Software and PBI Research Services are now facing a class action lawsuit in Massachusetts, accused of failing to adequately secure personally identifiable information. Schools such as the University of Illinois, Chapman University, and Pace University, among others, have been directly affected, with sensitive data such as names and Social Security numbers exposed. The impact of the breach extends beyond the education sector, as multiple banks and large corporations have also confirmed security breaches related to the MOVEit software.
Ransom Payments and Ongoing Investigation
It remains uncertain how many victims have paid the ransom demanded by the Clop ransomware group. While some companies have denied being affected, incident responders have reported that some victims did pay the ransom. The removal of victims from Clop’s leak site does not necessarily indicate ransom payment, as the group has made mistakes in the past. Nonetheless, the profitability of the MOVEit incident for the ransomware group is not solely dependent on a high conversion rate.
Conclusion
The discovery of new vulnerabilities in the MOVEit file transfer software has raised significant concerns about data security, resulting in a surge in cyberattacks and compromised information. Urgent action is required by users to apply the patches provided by Progress Software to mitigate the risks associated with these vulnerabilities. Organizations must remain vigilant, implement comprehensive security measures, and take proactive steps to safeguard sensitive information.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.
