Three new MOVEit bugs spur CISA warning as more victims report breaches

The federal government warned on Friday that three new vulnerabilities have been discovered in the MOVEit file transfer software — a tool that has been at the center of hundreds of breaches announced over the last month.

The Cybersecurity and Infrastructure Security Agency reported that Progress Software, the company behind MOVEit Transfer, released a new package of patches to resolve the three bugs, labeled CVE-2023-36932, CVE-2023-36933 and CVE-2023-36934.

“A cyber threat actor could exploit some of these vulnerabilities to obtain sensitive information. CISA encourages users to review Progress Software’s MOVEit Transfer article and apply product updates as applicable for security improvements,” CISA said.

The advisory from Progress Software said CVE-2023-36934, discovered by Guy Lederfein from Trend Micro’s Zero Day Initiative, is a critical vulnerability that could allow an attacker to access or modify MOVEit database content.

The other two vulnerabilities discovered are high severity and could result in either the access of MOVEit database content or the complete shutdown of the software.

These latest issues are the fourth, fifth and sixth problems found in the software since the fiasco began at the end of May. In June, Progress Software announced two additional vulnerabilities alongside the initial bug that was exploited by the Clop ransomware gang.

An avalanche of new victims

The Clop ransomware group has slowly announced batches of new victims each week, with dozens of universities, businesses and government agencies also coming forward to confirm that they were exploited through the MOVEit software.

Brett Callow, a threat analyst for Emsisoft who has been tracking the situation, said the number of reported victims has now reached at least 230, with at least 20 U.S. schools and the information of more than 17.5 million people affected.

Attacks on PBI Research Services, the National Student Clearinghouse (NSC) and the Teachers Insurance and Annuity Association of America (TIAA) have had a cascading effect due to their role as centralized authorities that dozens of businesses and schools have to send information to.

Dozens of universities around the world told their student bodies and employees about potential data breaches related to information given to NSC and TIAA.

NSC — which provides educational reporting, verification, and research services to nearly every North American college and university — said it notified law enforcement after discovering hackers “obtained certain files transferred through the clearinghouse’s MOVEit environment, including files containing data that we maintain on behalf of some of our customers.”

Several schools said the U.S. Department of Education requires 3,600 colleges and universities nationwide to use the tool to share information with the NSC, which provides this data to the National Student Loan Data System (NSLDS) on behalf of the schools. Shared information includes personally identifiable information such as Social Security numbers and dates of birth.

TIAA provides financial services to more than 5 million active and retired employees from over 15,000 institutions. The company has $1 trillion in combined assets under management.

Several universities initially attributed their exposure to the MOVEit fiasco to TIAA. But in statements to Recorded Future News, a TIAA spokesperson said it was affected by the MOVEit vulnerability through its ties to a third-party vendor called PBI Research Services.

PBI Research Services is one of the biggest vendors for death auditing and beneficiary location services for companies in many industries. In addition to TIAA, several massive state pension funds, including the largest public pension fund in the U.S. – California’s Public Employees' Retirement System (CalPERS) – have also announced data breaches because of their ties to PBI Research Services.

“No information was obtained from TIAA’s systems and TIAA systems were not at risk from the MOVEit Transfer vulnerability. We have not observed any related unusual activity from this event involving TIAA accounts,” a spokesperson said when asked about schools attributing data breaches to them.

“We continuously monitor all individual’s accounts for unusual activity through our multi-layered controls. Customer data security is a top priority, and we are taking this incident very seriously. Through PBI, affected individuals will be offered free credit monitoring for two years at no cost to them.”

PBI Research Services has not responded to requests for comment but confirmed in a statement that it was attacked by Clop through the MOVEit software.

A class action lawsuit was filed in Massachusetts last week against both Progress Software and PBI for their “failure to properly secure and safeguard personally identifiable information.”

The schools affected include: the University of Illinois, Chapman University, Utah Tech University, Lake Sumter State College, Rensselaer Polytechnic Institute, Southern Utah University, Webster University, Wooster College, Trinity College, St. Mary’s University, Pace University, Middlebury College, Madison College, the University of Dayton and more.

Multiple schools — including Trinity, Webster and Chapman — had data accessed through both NSC and TIAA. Those affected by the TIAA/PBI breach had their names, Social Security numbers and more leaked.

Finance and other industries

Multiple banks and large corporations also have come forward in recent days to confirm that their information was accessed by the ransomware group.

Oil and gas giant Shell, which confirmed to Recorded Future News that it was exploited two weeks ago, released a follow up message on Friday explaining that employees of its BG Group were the ones affected.

The corporation provided assistance phone numbers for employees in Malaysia, Singapore, Philippines, the U.K, Canada, Australia, Oman, Indonesia, Kazakhstan, the Netherlands and South Africa.

Clicks — one of the biggest retailers in South Africa with more than 650 stores in the region — also confirmed to Recorded Future News that it was a victim of a MOVEit hack.

“On becoming aware of this cyber incident, we immediately invoked our standby cyber and IT protection protocols, deployed a security patch, and contained the situation. Investigation determined that personal information relating to 0.05% of our pharmacy customers was affected,” a spokesperson said.

“This has been reported to the regulator. We continue to monitor the situation and are in the process of contacting customers whose data has been accessed to advise them of the incident and offer them appropriate advice and support.”

Banks also have come forward to confirm breaches.A United Bank spokesperson told Recorded Future News that it launched an investigation as soon as the MOVEit situation became public.

“We take the confidentiality of our customers’ personal information very seriously and are notifying those individuals who have been affected and providing additional information and resources to support them,” a spokesperson said.

First Merchant Bank, Plains Capital Bank and the National Institutes of Health Federal Credit Union are just a few of the financial institutions to confirm being affected, with each noting that Social Security numbers were involved in their breaches.

It is unclear how many victims have paid the ransoms being demanded by Clop ransomware actors. Dominic Alvieri, a cybersecurity expert tracking the situation, noted that at least eight victims have been removed from Clop’s leak site since being posted. It’s unclear what that might mean.

Emsisoft’s Callow noted that in the past, Clop has made mistakes on its site, and the fact that a company has been delisted does not necessarily indicate that they paid a ransom.

Callow added that a handful of listed victims have outright denied being affected by the incident at all.

“That said, we do know that some victims have paid,” Callow said, referencing comments from incident responders at Mandiant who told CNN that some companies have paid ransoms.

“While it seems that the overwhelming majority have not, Clop does not necessarily need a high conversion rate for the MOVEit incident to be very profitable.”