Cyber Incident Victim: Department of Agriculture

A third vulnerability affecting the MOVEit file transfer tool was disclosed by Progress Software, the company behind the product, on or around June 17, 2023. This vulnerability, tracked as CVE-2023-35708, was reported to the company by an independent source. The bug could potentially grant hackers escalated privileges and unauthorized access to a victim’s environment. Progress Software stated that at the time of disclosure, they had not seen any indications that this new vulnerability had been exploited. The company developed a patch to address the issue and communicated with customers on the necessary steps to further harden their environments. They also noted they had been coordinating with federal law enforcement and other agencies. In its advisory, Progress warned that it was extremely important for all MOVEit customers to take immediate action, emphasizing that customers needed to first patch the initial vulnerabilities before applying this latest fix. The Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to review Progress’ advisory about this new bug.

This discovery followed the earlier exploitation of two prior vulnerabilities in the same software. The initial vulnerabilities had created a significant number of incidents, with dozens of entities reporting data breaches. The attack method used by the Clop ransomware group involved multiple steps, but the discovery of this third vulnerability revealed that their attack could be shortened. A security researcher examining the previous patches discovered that the software could still be vulnerable to other attack methods, leading to the finding of this third zero-day vulnerability. The best recommendation for users was to continue applying patches, and Progress advised shutting off the HTTP component of the MOVEit Transfer application entirely.

The impact of the initial MOVEit vulnerabilities was widespread. On June 15, 2023, the Cybersecurity and Infrastructure Security Agency revealed that several federal agencies had been impacted by cyberattacks exploiting the software. The Department of Energy confirmed that two entities under its umbrella were affected. A spokesperson for the U.S. Department of Agriculture (USDA) stated on June 16 that the department may have been hit by the Clop ransomware group. The USDA's breach investigation had not been previously reported prior to this statement. The spokesperson said, “USDA is aware of a possible data breach with a vendor that may impact a very small number of employees, and any employees whose data may have been affected will be contacted and provided support.” Other agencies, including the Departments of Labor, Education, and Interior, stated they were not affected. The State Department and Defense Department declined to comment.

Beyond federal agencies, multiple state-level organizations announced breaches connected to the MOVEit vulnerabilities. State agencies in Illinois, Missouri, and Minnesota disclosed they were investigating potential data breaches affecting thousands of people. The motor vehicle departments in both Oregon and Louisiana confirmed they were affected by the attacks. The state of Louisiana stated that all residents with a state-issued driver’s license, ID, or car registration had likely had their personal information accessed. This information included names, Social Security numbers, dates of birth, physical attributes, driver’s license numbers, and vehicle registration information. Oregon’s Department of Transportation confirmed the personal information of approximately 3.5 million holders of Oregon IDs or driver’s licenses was affected by the breach. Their analysis identified multiple files shared via MOVEit Transfer that were accessed by unauthorized actors before the organization received the security alert. The Oregon DOT stated that individuals with an active Oregon ID or driver’s license should assume their information was part of the breach, as they did not have the ability to identify which specific individuals' data was taken.

The Clop ransomware group claimed responsibility for the attacks and posted batches of victim names over the preceding week. The group also claimed to have deleted all government-related data they had exfiltrated. By June 17, it was reported that 63 victims had either been named by Clop or had come forward to announce breaches themselves. The scope of the incident was considered potentially one of the most wide-ranging and significant data breaches of recent years, though the full number of affected organizations was not yet known at that time. The incident prompted a response from Congress, with the House Energy and Commerce Chair and the Committee Ranking Member requesting a briefing about the issue from the White House and the Department of Energy. The continuing discovery of vulnerabilities led to concerns that more issues might be found as security researchers continued to scrutinize the MOVEit software.