State governments among victims of MoveIT Transfer breach

Illinois, Minnesota and Missouri state governments are among a growing list of organizations attacked via a critical flaw in Progress Software's MoveIT Transfer product.

Progress Software on May 31 detailed an SQL injection bug in its managed file transfer (MFT) software MoveIt Transfer. Progress urged customers to immediately apply mitigations for the vulnerability, tracked as CVE-2023-34362, while it worked on a patch, which was released later that day. But as security vendors reported soon after, the critical bug was already under active exploitation in the wild.

A wave of organizations have disclosed data breaches in the wake of CVE-2023-34362 coming to light. Some of the early major names affected by the MoveIT flaw included the government of Nova Scotia, Canada; HR software provider Zellis; the BBC; British Airways; and British retailer Boots.

Several other organizations have disclosed compromises since that initial wave, including U.K. broadcast regulator Ofcom and networking vendor Extreme Networks. Multinational accounting firm Ernst and Young was also reportedly breached via the critical flaw. Ernst and Young did not reply to TechTarget Editorial's request for comment, but the BBC said it received confirmation of a data breach from the firm.

In early June, Microsoft published new research attributing the attacks to a threat actor it dubbed "Lace Tempest," which it tied to the Clop ransomware gang. Clop claimed responsibility for a campaign against MoveIT customers on its data leak site earlier this month, adding it would begin posting victims' names to its site if they failed to contact the gang by June 14 (today as of press time).

CL0P #ransomware group claims to have accessed 100's of company data by exploiting a zero-day vulnerability in the MOVEit Transfer. They also claims to disclose the company names in their darkweb portal by June 14, 2023.#CLOP#darkweb #databreach #cyberrisk #cyberattack… pic.twitter.com/igY1mV8JSv

— FalconFeedsio (@FalconFeedsio) June 7, 2023

The cybercrime gang also said it would erase data attached to organizations including government agencies, city services and police departments. The gang said it has "no interest to expose such information." However, several more government entities have come forward with MoveIT Transfer-related data breach disclosures in recent days.

On Friday the Minnesota Department of Education (MDE) said it suffered a data breach "as part of a global cyber-security attack targeting the MOVEit software." In a press release, it said Minnesota IT Services had been notified by a third-party vendor of a potential breach.

"That same day, MDE files on a MOVEit server were accessed by an outside entity," the press release read.

Stolen data included files from two school districts and Hennepin Technical College, which contained information about "approximately 95,000 names of students placed in foster care throughout the state, 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students who were taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who took a particular Minneapolis Public Schools bus route."

"The files accessed relating to foster care students contained demographic data including the names, dates of birth and county of placement," the release read. "These files were transferred to MDE from the Minnesota Department of Human Services under a data sharing agreement to meet state and federal reporting requirements. MDE does not have contact information for these individuals."

The Illinois Department of Innovation and Technology (DoIT) also confirmed Friday it was investigating an "attack affecting Illinois' network." According to the DoIT's press release, an investigation is ongoing, but the department believes "a large number of individuals could be impacted."

"DoIT's Infrastructure and Security teams moved quickly to respond to the attack affecting Illinois' network, evicting the attacker within three hours and verifying that the vulnerability could no longer be exploited in our system," DoIT Secretary and State CIO Sanjay Gupta wrote in a statement within the press release. "We are working with all relevant authorities and will provide regular updates to the people of Illinois."

The State of Missouri said on Tuesday that its Office of Administration, Information Services and Technology Division (OA-ITSD) was investigating "the potential impact" of a MoveIT-centric cyber attack, though it did not specify that a data breach occurred in its statement.

"The State of Missouri quickly identified any associations with the MoveIT system and the Office of Administration immediately launched a thorough investigation to determine the extent of the cyber-attack and any agencies and vendors potentially impacted," the news release said. "This investigation is ongoing. Public notice will be made as quickly as possible once entities, individuals, or systems who may have been impacted are identified."

Emsisoft threat analyst Brett Callow told TechTarget Editorial in an email that regardless of whether Clop was behind these data breaches, "it would be a mistake for public sector bodies to believe Clop will delete their data."

"While Clop may not attempt to extort money from those bodies, they may well sell the data, trade it, or use it for phishing," he said. "Why wouldn't they? The real question is why Clop is choosing not to extort these bodies. Is it because they have too many victims to handle so have decided to drop those they believe would have the lowest ROI? To avoid extra attention from law enforcement? Or perhaps another reason?"

Alexander Culafi is a writer, journalist and podcaster based in Boston.