Illinois, Missouri latest states to investigate MOVEit incidents

State agencies in Illinois and Missouri said they are investigating potential data breaches related to the exploitation of a vulnerability affecting a popular file transfer product.

Missouri’s Office of Administration, Information Services and Technology Division (OA-ITSD) said on Tuesday evening that it is in the process of investigating what may have been taken by hackers during a cyberattack on the MOVEit system they use to transfer files and information between agencies.

“The State of Missouri quickly identified any associations with the MOVEit system and the Office of Administration immediately launched a thorough investigation to determine the extent of the cyberattack and any agencies and vendors potentially impacted,” the agency said in a statement.

“This investigation is ongoing. Public notice will be made as quickly as possible once entities, individuals, or systems who may have been impacted are identified.”

They noted that the attack is part of a larger campaign from the Clop ransomware group, which told BleepingComputer that they stole data from hundreds of organizations through the vulnerability, tracked by cybersecurity researchers as CVE-2023-34362.

The group later released a public message claiming they deleted all data taken from government agencies, cities or police departments. But since vulnerability emerged, several governments and major companies around the world confirmed that information from their systems was accessed.

Late last week, regulators with the Illinois Department of Innovation & Technology (DoIT) also said they are investigating the impact of a data breach related to MOVEit.

They warned that DoIT “believes a large number of individuals could be impacted.”

"DoIT's Infrastructure and Security teams moved quickly to respond to the attack affecting Illinois' network, evicting the attacker within three hours and verifying that the vulnerability could no longer be exploited in our system,” said DoIT Acting Secretary and State CIO Sanjay Gupta.

“We are working with all relevant authorities and will provide regular updates to the people of Illinois."

DoIT says it disconnected all systems associated with MOVEit on May 31 and hired an incident response team to conduct a forensic analysis of what happened.

With the help of attacker “fingerprints” identified by the Cybersecurity and Infrastructure Security Agency and FBI, Illinois officials were able to begin mapping out the extent of the attack, they said.

The agency did not respond to requests for comment but said it is coordinating with several impacted agencies and will eventually issue a public notice of the incident once the number of victims is confirmed.

The state will set up a call center for victims that have questions.

The government of Nova Scotia and the University of Rochester were the first victims to be identified in North America while organizations like Britain’s communications regulator Ofcom, the BBC, British Airways, Irish carrier Aer Lingus and Boots similarly disclosed data theft.

Minnesota’s Department of Education announced a wide-ranging breach involving the data of hundreds of thousands of students.

Security company Censys said they examined organizations exposed to the internet who use MOVEit Transfer and found that 31% of the hosts running MOVEit are in the financial services industry, 16% in healthcare, 9% in information technology, and 8% in government and military.

Nearly 30% of the companies they observed have over 10,000 employees, indicating that the service is used in a variety of large organizations – the vast majority of which are based in the United States.

Zach Hanley, chief attack engineer at cybersecurity firm Horizon3.ai, said proof of concept code for the exploitation of the vulnerability offered hackers “cleartext credentials for the provisioned sysadmin account, database credentials, and the service credential.”

“All great targets for lateral movement,” he said.

The company behind the MOVEit file transfer product – Progress – announced a second vulnerability within its software on Friday. The vulnerabilities discovered in the MOVEit software were patched by May 31 and June 9.