New zero day vulnerability in MOVEit Transfer & Cloud. How many more victims there will be?

As more organizations come out to declare data breaches that were caused by the program’s flaws, the developer of the popular MOVEit file transfer tool has revealed that its software has a second flaw that makes it susceptible to vulnerabilities.

The software business Progress said on Friday that after the discovery of the initial vulnerability, CVE-2023-34362, the cybersecurity firm Huntress has been undertaking code evaluations of the MOVEit product and has found a new problem as a result of their efforts. On Friday, the business announced the availability of a fix for the flaw and urged clients of MOVEit Transfer to implement the update. The alert stated that the newly discovered vulnerability might make it possible for an attacker to obtain unauthorized access to the MOVEit Transfer database, which “could result in modification and disclosure of MOVEit database content.”

This vulnerability, which does not yet have a CVE designation, affects all versions of the product and might potentially lead to a security breach. As a consequence of the MOVEit vulnerability, a number of businesses and organizations who were impacted have recently disclosed data breaches. There is a connection between the data breaches that occurred at the BBC, Boots, and Aer Lingus, and a cyber event that affected their payroll supplier Zellis.

In the meanwhile, the victims identified in North America were the government of Nova Scotia and the University of Rochester. Microsoft alerted Clop on Sunday that it was the group responsible for the efforts to exploit MOVEit. On Wednesday morning, Clop issued an extortion message saying that “hundreds” of firms were impacted and warning that these victims needed to contact the gang or they would be listed on the organization’s extortion site. Microsoft warned that Clop was behind the attempts to exploit MOVEit.

Following the first deadline of June 12, which was stated on the gang’s post, the criminals threatened that “we will post your name on this page,” however the timeframe was ultimately moved to June 14. Although the explanation for the delay was not provided, Joe Tidy of the BBC pointed out that June 12 is a holiday in the Russian Federation, thus that may have been the cause.

An adversary might potentially compromise the MOVEit database by submitting a specially constructed payload to a MOVEit Transfer application endpoint, which would then result in the content of the MOVEit database being modified or disclosed. Customers of MOVEit Transfer are required to download and install the latest patch, which was made available on June 9, 2023. The research is still underway, however as of right now there are no signs to suggest that any of these recently found vulnerabilities have been exploited. According to the business, all MOVEit Cloud clusters have already been patched against these newly discovered vulnerabilities in order to protect them from any prospective attacks that may be launched against them.