Risk & Repeat: Moveit Transfer flaw triggers data breaches
Several organizations, predominantly in the U.K., have confirmed data breaches that stemmed from exploitation of the critical Moveit Transfer zero-day vulnerability.
Progress Software last week disclosed a critical flaw in its Moveit Transfer product that was quickly revealed to be a zero-day vulnerability under exploitation in the wild.
Progress disclosed the bug on May 31 as a SQL injection bug. Now tracked as CVE-2023-34362, Progress urged customers to mitigate the flaw and then update their software when a patch became available later that day. Although the vendor was quick to respond, instances of its managed file transfer software Moveit Transfer were already under attack.
Security vendors reported exploitation soon after Progress' initial disclosure, which did not note active exploitation at the time. On Sunday, Microsoft attributed the attacks to a threat actor, dubbed Lace Tempest, tied to the Clop ransomware gang. Then, this week, a wave of organizations confirmed data breaches stemming from the vulnerability, including HR software provider Zellis, the BBC and the government of Nova Scotia, Canada.
On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the critical Moveit Transfer bug, Progress' response and the victims affected by it.
Subscribe to Risk & Repeat on Apple Podcasts.
Alexander Culafi is a writer, journalist and podcaster based in Boston.