U.S. government agencies breached via MoveIt Transfer flaw

Several U.S. government agencies were breached in attacks on a critical vulnerability in Progress Software's MoveIt Transfer software, CISA said Thursday.

The flaw, tracked as CVE-2023-34362, is a SQL injection bug affecting Progress' managed file transfer software, MoveIt Transfer, that was first disclosed on May 31. A large wave of organizations have since disclosed data breaches stemming from the vulnerability's exploitation. Victims have ranged from private companies such as U.K. HR software provider Zellis to the government of Nova Scotia and multiple U.S. state governments.

The primary threat actor at the center of the flaw's exploitation was identified as "Lace Tempest" by Microsoft. Lace Tempest is tied to the Clop ransomware gang, which claimed responsibility for attacks on its ransomware leak site and has, according to reports, been operating an opportunistic campaign using the flaw against a large number of enterprises. The gang also said it would erase data attached to government agencies, city services and police departments, though infosec experts have cautioned against trusting the word of the cybercriminal group.

In a press call Thursday afternoon hosted by CISA and attended by TechTarget Editorial, CISA Director Jen Easterly confirmed that "several federal agencies" suffered intrusions through their MoveIt Transfer instances and said CISA was providing support.

She said that while CISA was working urgently to respond to the breaches and understand the impact against U.S. organizations, the agency was "not tracking any significant impacts to the federal civilian executive branch enterprise," and that threat activity across the board involving the flaw has been largely opportunistic.

"While our teams are urgently focused on addressing risks posed by this vulnerability, it's important to clarify the scope and nature of this campaign," Easterly said during the press call. "Specifically, as far as we know, these actors are only stealing information that is being stored on the file transfer application at the precise time that the intrusion occurs. Based on discussions we have had with industry partners in the Joint Cyber Defense Collaborative, these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems or to steal specific high-value information -- in sum, as we understand it, this attack is largely an opportunistic one."

The CISA director added that the agency was "not aware of Clop actors threatening to extort or release any data stolen from U.S. government agencies" and that although CISA was "very concerned" about the campaign, it did not present a systemic risk to U.S. national security or the nation's networks.

During a Q&A portion during the press call, multiple reporters asked about the data stolen from federal networks as well as the names and quantity of U.S. federal organizations affected, but a senior CISA official declined to elaborate. The official also declined to conclusively tie activity against the U.S. government to Clop.

A company spokesperson for MoveIt Transfer shared the following statement with TechTarget Editorial:

We remain focused on supporting our customers by helping them take the steps needed to further secure their environments, including applying the patches we have released. We are continuing to work with industry-leading cybersecurity experts to investigate the issue and ensure we take all appropriate response measures. We have engaged with federal law enforcement and other agencies and are committed to playing a leading and collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.

In addition, Progress on Thursday disclosed a new critical vulnerability affecting instances of MoveIt Transfer. Tracked as CVE-2023-35708, the flaw is a privilege escalation vulnerability. Few technical details about the flaw are available, and Progress did not say whether it had seen exploitation in the wild. Patches are available now, according to the vendor's advisory.

Alexander Culafi is a writer, journalist and podcaster based in Boston.