As victim count mounts, a critical new MOVEit bug emerges - with US federal agencies compromised

Hackers "often breach the Department’s defensive perimeter and roam freely within our information systems"

As victim count mounts, a critical new MOVEit bug emerges - with US federal agencies compromised
Image shows the Federal Reserve in Chicago and is for illustration purposes only.

Impact from the exploitation of vulnerabilities in the MOVEit file transfer software keeps growing. Confirmed victims (believed to be in their hundreds) now include the US’s Department of Energy, EY, and Shell.

(Earlier review by The Stack of exposed MOVEit instances revealed hundreds of other well-known bluechips exposed, including across the aerospace and defence, semiconductor and consultancy sectors.)

Incident responders look set to be kept busy: June 15, MOVEit owner Progress Software confirmed that there was another critical vulnerability in the software, with a CVE pending, and urged customers to disable “all HTTP and HTTPs traffic to your MOVEit Transfer environment”.

Progress's warning follows a June 9 advisory that disclosed further critical SQL injection vulnerabilities  tracked as CVE-2023-35036. These came in the wake of a security audit following patches for the mass-exploited vulnerability, CVE-2023-34362. (When a zero day vulnerability is exploited, it often triggers a flurry of interest in the product in question from security researchers, who almost inevitably find a host more vulnerabilities...)

Corporate risk multinational Kroll says it has found evidence that the Clop threat group had been testing MOVEit exploits since 2021 and ways to exfiltrate data from compromised MOVEit servers since April 2022.

A new MOVEit vulnerability - and older bugs too...

On June 15 meanwhile US cybersecurity agency CISA said that another software product from Progress had been exploited to breach multiple US federal agencies by “unattributed APT actors” – the products in question are from Progress subsidiary Telerik (a company it bought in 2014).

The vulnerabilities exploited in this attack (a .NET deserialization vulnerability, CVE-2019-18935, in Progress Telerik UI for ASP.NET AJAX, located in the agency’s Microsoft IIS web server) and equivalent vulnerability for earlier versions, CVE-2017-9248 had patches available.

CISA said: “Though the agency’s vulnerability scanner had the appropriate plugin for CVE-2019-18935, it failed to detect the vulnerability due to the Telerik UI software being installed in a file path it does not typically scan. This may be the case for many software installations, as file paths widely vary depending on the organization and installation method…”

(Late in 2022 the Pentagon admitted strikingly bluntly that both state hackers and individual malicious actors “often breach the Department’s defensive perimeter and roam freely within our information systems.”)

The attack on Shell, meanwhile, represented the second time it has been breached via file transfer software. The company shifted from Accellion to MOVEit after the former was breached in 2021 and exposed data.

See also: Shell appoints former CISO as new Group CIO