Almost four months after the MOVEit Transfer flaw was uncovered, companies are still unearthing details about data that was compromised in the ensuing exploits, painting a more complete picture of the bug’s impact.
Last week, a U.S. educational nonprofit for North American colleges, National Student Clearinghouse, said that its previously disclosed breach stemming from the MOVEit Transfer flaw had led to the compromise of student record information at almost 900 schools in its database. Meanwhile, a Canadian healthcare organization called the Better Outcomes Registry & Network (BORN) Ontario this month announced the results of an investigation into its MOVEit-related breach, which showed that the personal health information of 3.4 million newborns and pregnancy patients had been compromised. And, while compliance firm Sovos first disclosed in July that the data from several of its customers was breached via the MOVEit Transfer flaw, a data breach disclosure from last week showed the company was still discovering additional victims.
A looming layer of complexity in the MOVEit Transfer saga has been that attacks on companies that actually use Progress Software’s MOVEit managed file transfer software may also impact data related to their downstream customers, partners and other third-party organizations. For instance, the Hospital for Sick Children, a healthcare provider in Canada, said on Monday that it was impacted by BORN Ontario’s MOVEit-related data breach because it shares patients’ personal health data with BORN.
“It’s easy to see that multiple victims have been affected only because they rely on a third-party provider that uses MOVEit Transfer - not strictly using the software themselves,” said John Hammond, senior security researcher with Huntress. “This is a sort of trickle-down effect, like a set of falling dominos, as you would expect in a supply chain attack. This effect can come from simply having data used in other locations, or software integrations or connected applications that bridge technologies. Any technical way that organizations rely on another could be used and abused by threat actors.”
While Progress Software disclosed the flaw and issued a patch on May 31, the full impact of the flaw is still being mapped out. Antivirus company Emsisoft scoured data sourced from state breach notifications, SEC filings and public disclosures and found that since Progress Software first disclosed the vulnerability in May, 2,120 organizations have been impacted by MoveIT Transfer-related attacks - resulting in the data of over 62 million individuals being compromised (as of Sept. 27). Making matters worse, out of the 2,120 affected organizations, only 188 actually issued disclosures that specified how many individuals were impacted - so the total number of impacted individuals may be higher.
“It’s having a cascading impact, and some of these incidents are three or four levels deep, with organizations being compromised because they contracted with a vendor or supplier,” said Brett Callow, threat analyst with Emsisoft. “I’m sure organizations have been impacted that don’t know yet simply because the news hasn’t gone down the channel.”
“Unfortunately, not all organizations might even be aware that they have this vulnerable software as a part of their (indirect) tech stack from another supplier upstream."
While zero-day vulnerabilities typically make headlines when they are first disclosed, they have lasting long-term impacts in the ensuing weeks, months and years, as threat actors continue to target unpatched instances. In fact, an August report from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) found that the majority of the flaws that attackers routinely exploited over the last year were disclosed in 2021 or earlier, including the Log4Shell flaw from 2021, the ProxyShell bugs in Exchange from 2021 and a Fortinet SSL VPN bug from 2018.
For MOVEit, many of the attacks occurred during an initial rampage on vulnerable MOVEit Transfer servers by the threat actors linked to the Clop ransomware. Some researchers said that they first saw this exploit activity on May 27, while others saw scanning for the MOVEit Transfer logging page as early as March 3 (months before the bug became public on May 31). While victim disclosures are still steadily continuing, many disclosures are stemming from this initial surge. For instance, though it only recently disclosed details on the impact of its breach, National Student Clearinghouse first learned on June 20 that the unauthorized actor had accessed files on May 30.
“It’s still very successful [for threat actors] as far as we know, it’s having a continued impact on a variety of industries and we’re nowhere near to seeing the total impact of that,” said Glenn Thorpe, senior director of Security Research and Detection Engineering with GreyNoise. “We know MOVEit is not over yet - actors haven’t moved away from it and it hasn’t stopped being fruitful for them.”
The obvious lesson here, both with the MOVEit Transfer bug and with other actively exploited flaws, is to patch vulnerabilities that are serious or under active exploitation as soon as possible. In a new survey looking at top exploited vulnerabilities of this year, Qualys researchers calculated that the flaw had a mean time to response/remediate (MTTR) of seven days. This data point, which shows the average time taken to address the vulnerability after detection, is low in comparison to other vulnerabilities like the PaperCut NG/MF bug (CVE-2023-27350), which had an MTTR of 23 days, and the Fortra GoAnywhere MFT remote code execution flaw (CVE-2023-0669) that had one of 31 days. However, Qualys researchers found that the flaw had a patch rate of just over 51 percent, showing that many systems are still exposed.
Beyond patching, however, part of the complexity of the MOVEit bug is that many of the impacted organizations don’t use the software themselves, but instead are part of this “trickle-down” data breach effect. These impacted organizations and individuals should be on alert for phishing emails that may use their stolen data or fraud-related attacks.
“During the early days of June, while our industry was first chasing indicators of compromise and looking for signs of exploitation, this certainly widened the pool of potential victims,” said Hammond. “Unfortunately, not all organizations might even be aware that they have this vulnerable software as a part of their (indirect) tech stack from another supplier upstream.”
Overall, flaws like the ones in MOVEIt Transfer highlight a need for better security practices from manufacturers themselves, particularly for those behind file transfer services that handle a rich bank of data that’s attractive to cybercriminals. The MOVEit bug has left questions about software liability in its wake, and several lawsuits have cropped up over the past months - including ones against Progress Software itself, but also several against companies using the MOVEit Transfer platform.
“The CVE-2023-34362 flaw in MOVEit Transfer signals potential long-term shifts in cybersecurity,” Saeed Abbasi, manager of vulnerability and threat research at Qualys. “Much like the repercussions from Heartbleed on open-source security, this vulnerability highlights the imperative for strengthened secure development practices. It's a definite call for organizations to intensify their vulnerability assessments, engage in rigorous penetration testing, transition towards zero-trust models, and accelerate a surge in cybersecurity investment. Such high-profile vulnerabilities can spur re-evaluations of vendor trust and catalyze stricter regulatory oversight.”