University of Rochester, Nova Scotia first known MOVEit victims in North America

The government of Nova Scotia and the University of Rochester are the first organizations in North America to confirm data theft as a result of the exploitation of a new vulnerability affecting popular file transfer tool MOVEit.

On Sunday, the government of Nova Scotia, a small province in eastern Canada, warned that the personal information of some residents was accessed “as part of a global security issue with a file transfer service called MOVEit.”

Officials are still in the process of determining what information was stolen and how many people are affected.

“Nova Scotians will have questions, and we do, too. Our staff are working hard to figure that out now,” said Cyber Security and Digital Solutions Minister Colton LeBlanc. “I know this will make some people anxious, at a time when no one needs more anxiety. We will share more information with Nova Scotians as soon as we can.”

The province said it was informed of the issue on June 1 by Progress, the company that runs MOVEit. They immediately took the system offline and installed a security update but “became aware that further investigation was needed” the following day.

Officials said they use the file transfer system to share information more efficiently among government agencies. Residents of the province will be contacted directly if their information was involved.

The University of Rochester published its own statement on June 2 saying it is in the process of investigating a cybersecurity incident that “resulted from a software vulnerability in a product provided by a third-party file transfer company.”

The university said the vulnerability has impacted “approximately 2,500 organizations worldwide” but it is unclear whether they pulled that figure from news reports or were told that by the company itself.

“The University takes your privacy and the safeguarding of our data and systems extremely seriously and our University IT staff is working closely with the FBI and an outside data forensic firm to determine what information was compromised and what possible actions need to be taken,” the New York school of more than 12,000 students said.

“At this time, we believe faculty, staff, and students could be impacted, but we do not yet know the full scope of the impact to University community members or which personal data was accessed, as the investigation is ongoing.”

They urged everyone to change passwords, use multifactor authentication and check credit cards for any suspicious activity.

Since the vulnerability was discovered last week, a stream of companies have announced data breaches, including the BBC, British Airways and the Irish carrier Aer Lingus. They confirmed that the personal data of their staff was exposed to hackers following a cyber incident impacting their payroll provider Zellis.

The attack on Zellis involved the exploitation of the MOVEit zero-day, which is being tracked as CVE-2023-34362.

In comments to BleepingComputer and Reuters yesterday, the Clop ransomware gang confirmed Microsoft's assessment that they were behind exploitation of the vulnerability.

The group has made a point of going after popular file transfer tools in the past, targeting vulnerabilities with Fortra’s GoAnywhere product and Accellion’s File Transfer Appliance.

Recorded Future ransomware expert Allan Liska said that if Clop’s handling of the MOVEit situation resembles the GoAnywhere attacks, they “likely aren't trying to encrypt any systems on the victim's network.”

“Instead, this is probably a ‘steal and extort’ attack,” he said.

“While they are probably still sorting through the data to compile a full list of victims, there will also be a delay in posting victims to their extortion site, just as there was with the GoAnywhere attack, as they attempt to negotiate a payment.”

In a statement to Recorded Future News, a MOVEit spokesperson said it promptly launched an investigation after the vulnerability was discovered and alerted customers immediately.

The company says it “disabled web access to MOVEit Cloud to protect our Cloud customers, developed a security patch to address the vulnerability, made it available to our MOVEit Transfer customers, and patched and re-enabled MOVEit Cloud, all within 48 hours.”

“We have also implemented a series of third-party validations to ensure the patch has corrected the exploit,” the spokesperson said.

“We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies with respect to the vulnerability.”

Cybersecurity expert Kevin Beaumont and several other researchers have warned that dozens of state and federal agencies in the U.S. use MOVEit, potentially exposing troves of sensitive documents.