MOVEit Transfer Vulnerability Going Wild

The Clop ransomware organization purportedly exploited a critical zero-day flaw in the MOVEit file transfer program.

Security professionals have been warning about the new vulnerability, coded as CVE-2023-34362, in Progress Software’s MOVEit Transfer.

The vulnerability was added to CISA’s known exploited vulnerability catalog last week, marking June 23 as a deadline for all federal civilian agencies to have the patch and mitigation measures applied.

Researchers at Microsoft have identified the hackers as the Clop ransomware group — which has notoriously exploited file transfer services used in some of the largest companies in the world. In the past few months, the Clop ransomware group continuously exploited a vulnerability in Fortra’s GoAnywhere file transfer product. They claim to have breached over 130 international businesses and governments. They were also responsible for a slew of attacks that targeted the Accellion file transfer tool.

As news of the MOVEit  Transfer bug impact trickles in, some of the first victims on the list were identified as BBC, British Airways, the government of Nova Scotia, the University of Rochester, and Zellis, a leading payroll service provider.

“There are undoubtedly organizations who don’t even know yet that they’re affected,” said Caitlin Condon, senior manager of security research at the cybersecurity firm Rapid7.

The BBC stated that it was collaborating with Zellis to determine the scope of the incident. The broadcaster informed all of its employees and contractors in the United Kingdom through email on Monday that information including birthdates, social security numbers, and addresses at home had been made public. However, it claimed that bank account information had reportedly not been stolen and that there was “no evidence that the data is being exploited.”

The University of Rochester claimed last Friday that it was one of the victims in a statement, but a spokesman for the university declined to corroborate the claim or disclose the extent of the breach.

Skip to content