Third MOVEit vulnerability raises alarms as US Agriculture Department says it may be impacted

A third vulnerability affecting the popular MOVEit file transfer tool is causing alarm among U.S. officials and cybersecurity researchers after it was revealed that several government agencies were affected by a hack exploiting the first bug.

Progress Software, the company behind MOVEit, told Recorded Future News that an “independent source” disclosed the new vulnerability.

Tracked as CVE-2023-35708, the bug could give hackers escalated privileges and potential unauthorized access to a victim’s network.

“At this time, we have not seen indications that this new vulnerability has been exploited. We have developed a patch to address this issue and are communicating with customers on the steps they need to take to further harden their environments,” a MOVEit spokesperson said, adding that they have been coordinating with federal law enforcement and other agencies.

In its advisory, Progress warned that it is “extremely important” that all MOVEit customers take immediate action to address the issue.

The company notes that customers need to patch the initial vulnerabilities before applying the latest fix.

The federal Cybersecurity and Infrastructure Security Agency (CISA) also urged organizations to review Progress’ advisory about the bug.

Huntress senior security researcher John Hammond, who was involved in the disclosure of the second MOVEit vulnerability, said a researcher who goes by MCKSys Argentina on Twitter discovered the third issue while examining the previous findings.

They discovered that the latest patch would still be vulnerable to other attack methods, leading to them finding a third vulnerability.

Hammond explained that the attack method Clop ransomware hackers used involved three separate steps, but the newest vulnerability allowed them to shorten the attack to just two.

“The best recommendation to users is to continue to patch, and Progress advises shutting off the HTTP component entirely,” he said.

He noted that the MOVEit Transfer application can be attacked in multiple ways, so the fact that more issues are being discovered is “unsurprising.”

“While more and more security researchers scrutinize this software to find more bugs, we might continue to see more bypass techniques. Progress is aware and we are working closely together for them to help modernize and secure this legacy code base,” he added.

A growing victim list

The initial vulnerabilities in the software have created a maelstrom of incidents, with dozens of entities reporting data breaches. On Thursday, CISA revealed that “several” federal agencies were impacted by MOVEit-related cyberattacks. The Department of Energy confirmed that two entities under its umbrella were affected.

A spokesperson for the Department of Agriculture (USDA) told Recorded Future News on Friday that it may have been hit by Clop, which has posted batches of victims over the last week but claimed to have deleted all government-related data. The USDA's breach investigation has not been previously reported.

"USDA is aware of a possible data breach with a vendor that may impact a very small number of employees, and any employees whose data may have been affected will be contacted and provided support,” the spokesperson said.

Spokespeople for the departments of Labor, Education and Interior said they were not affected, while both the State Department and Defense Department declined to comment. Several other agencies did not respond to requests for comment.

House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) and Committee Ranking Member Frank Pallone (D-NJ) have asked for a briefing about the issue from the White House and the Department of Energy.

Multiple state-level organizations have also announced breaches connected to the MOVEit vulnerabilities, with agencies in Illinois, Missouri and Minnesota saying they are investigating potential data breaches related to MOVEit affecting thousands of people.

This week, motor vehicle departments in both Oregon and Louisiana confirmed that they were also affected by the attacks.

In a statement, the state of Louisiana said that all residents with a state-issued driver’s license, ID card or car registration have “likely” had their names, Social Security numbers, dates of birth, physical attributes, driver’s license numbers and vehicle registration information accessed.

Oregon’s Department of Transportation confirmed that the personal information for approximately 3.5 million holders of Oregon IDs or driver’s licenses were affected by the breach.

“Our analysis identified multiple files shared via MOVEit Transfer that were accessed by unauthorized actors before we received the security alert,” the department said.

“We do not have the ability to identify if any specific individual’s data has been breached. Individuals who have an active Oregon ID or driver’s license should assume information related to that ID is part of this breach.”

Emsisoft ransomware expert Brett Callow said there are now 63 victims who have either been named by Clop or have come forward to announce breaches.

“While we don’t yet know how many organizations have been affected or who those organizations are, this may well turn out to be one of the most wide-ranging and significant breaches of recent years,” he said.

“Companies that provide credit monitoring services are likely rubbing their hands together in gleeful anticipation. Unless, that is, they’ve been impacted too.”