MOVEit announces second vulnerability; Minnesota schools agency breached with original bug

The company behind the popular MOVEit file transfer product has announced a second vulnerability within its software as more entities come forward to announce breaches stemming from the program’s issues.

On Friday, the software company Progress said that since the discovery of the first vulnerability, CVE-2023-34362, the cybersecurity firm Huntress has been doing code reviews of the MOVEit product and has discovered a new issue. The company released a patch for the bug on Friday, imploring MOVEit Transfer customers to apply it.

“These newly discovered vulnerabilities are distinct from the previously reported vulnerability shared on May 31, 2023,” they wrote.

“The investigation is ongoing, but currently, we have not seen indications that these newly discovered vulnerabilities have been exploited.”

The advisory warned that the new vulnerability could allow a hacker to gain unauthorized access to the MOVEit Transfer database, which “could result in modification and disclosure of MOVEit database content.”

All versions of the software are affected by the vulnerability, which does not yet have a CVE classification.

Minnesota’s Department of Education announces breach

Also on Friday, the Minnesota Department of Education (MDE) announced that one of its data servers was exploited due to the initial vulnerability affecting the MOVEit software. Since the bug was discovered, concern about its exploitation has grown considering its popularity among government agencies and large companies.

A stream of companies have announced data breaches, including the BBC, British Airways, Irish carrier Aer Lingus and Boots.

The agency said that 24 files belonging to the department were accessed on May 31, and they immediately began an investigation into what happened.

“These files included data transferred to MDE from the Minnesota Department of Human Services (DHS) to meet state and federal reporting requirements, as well as files from two school districts (Minneapolis and Perham), and Hennepin Technical College,” they wrote.

In total, the files contained information about 95,000 students placed in foster care throughout the state, 124 students in the Perham School District who qualified for food assistance programs, 29 students who were taking classes for college credit at Hennepin Technical College in Minneapolis and five students who took a particular Minneapolis Public Schools bus route.

The files related to foster children included demographic information like names, dates of birth and their county of placement. The information was in the MOVEit software because it was transferred from the education agency to the Minnesota Department of Human Services.

MDE claimed it “does not have contact information for these individuals” and did not respond to requests for comment.

The other files included demographic data such as names, dates of birth, home address and guardian names, as well as high school or college transcripts and the last four digits of students’ Social Security numbers.

MDE noted that it has not received a ransom demand and has not seen evidence that the stolen information was posted online.

“Additionally, no virus or other malware was uploaded to MDE’s hardware systems,” the department said, noting that the FBI and law enforcement agencies in Minnesota have been contacted.

MDE urged victims who may have been impacted to monitor credit reports.

The news comes on the heels of several ransomware incidents affecting Minnesota’s schools that leaked troves of sensitive information about students in the state. Education news outlet The 74 reported that the sample of data leaked from an attack on Minneapolis Publis Schools included records related to “student sexual violence allegations, district finances, student discipline, special education, civil rights investigations, student maltreatment and sex offender notifications.”

The MOVEit vulnerability has resulted in a stream of affected companies and organizations announcing breaches. The breaches affecting BBC, Boots and Aer Lingus were all linked to a cyber incident impacting their payroll provider Zellis.

The Nova Scotia government and the University of Rochester, meanwhile, were the first victims to be identified in North America.

Clop, which Microsoft warned on Sunday was behind the attempts to exploit MOVEit, published an extortion note on Wednesday morning claiming that “hundreds” of businesses were affected and warning that these victims needed to contact the gang or they would be named on the group’s extortion site.

The gang’s post had an initial deadline of June 12, after which the criminals said “we will post your name on this page,” although the date was later pushed back to June 14. The reason for the delay was not given, although as noted by the BBC’s Joe Tidy, June 12 is a national holiday in the Russian Federation.

Huntress Senior Security Researcher John Hammond told Recorded Future News that Clop is asking for the victims to self-report to them “either because (a) they are overwhelmed with the number of victims, (2) they are capitalizing on the buzz to make money, (3) perhaps even other ransomware gangs are posing as cl0p trying to get a cut.”

“Considering Clop’s past involvement (alleged GoAnywhere MFT attacks) and their style and approach of extortion without encryption, that makes sense in my mind, but can't know for certain,” he said.

The U.S. Cybersecurity and Infrastructure Security Agency issued an advisory on Wednesday regarding Clop's campaign to exploit the MOVEit service, warning the gang had historically “compromised more than 3,000 U.S.-based organizations and 8,000 global organizations.”

Clop told BleepingComputer that it compromised “hundreds” of companies through the vulnerability. But in its public note to victims, the gang said it has deleted all data taken from government agencies, cities or police departments.

Censys observed a drop in the number of hosts running exposed MOVEit Transfer instances from over 3,000 last week to just over 2,600 this week, “indicating that some are potentially being taken offline,” they said.

Security researchers from consulting firm Kroll said on Thursday that their forensic reviews have shown that “the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021.”

The group has made a point of going after popular file transfer tools in the past, targeting vulnerabilities with Fortra’s GoAnywhere product and Accellion’s File Transfer Appliance.