Cyber Incident Victim: Department of Agriculture

A third vulnerability affecting the MOVEit file transfer tool, tracked as CVE-2023-35708, was disclosed by an independent source to Progress Software, the company behind the product. This bug could grant hackers escalated privileges and potential unauthorized access to a victim’s environment. Progress Software stated that at the time of disclosure, they had not seen indications that this new vulnerability had been exploited. They developed a patch to address the issue and communicated with customers on the steps required to further harden their environments. The company coordinated with federal law enforcement and other agencies regarding this development. Progress Software’s advisory warned that it was extremely important for all MOVEit customers to take immediate action, noting that customers needed to patch the initial vulnerabilities before applying this latest fix. The Cybersecurity and Infrastructure Security Agency (CISA) also urged organizations to review Progress’ advisory about the newly discovered bug.

This third vulnerability was discovered by a researcher who goes by MCKSys Argentina on Twitter while examining the previous findings related to earlier MOVEit vulnerabilities. The researcher discovered that the patch for a previous vulnerability would still be vulnerable to other attack methods, which led to the identification of this third zero-day issue. A security researcher involved in the disclosure of a prior MOVEit vulnerability explained that the attack method used by the Clop ransomware hackers involved three separate steps, but this newest vulnerability allowed them to shorten the attack to just two steps. The recommendation to users was to continue to patch their systems, and Progress advised shutting off the HTTP component of the software entirely. It was noted that the MOVEit Transfer application could be attacked in multiple ways, making the discovery of more issues unsurprising as security researchers continued to scrutinize the software.

The initial vulnerabilities in the MOVEit software created a significant number of incidents, with dozens of entities reporting data breaches. On June 15, 2023, CISA revealed that several federal agencies were impacted by cyberattacks related to the MOVEit vulnerabilities. The Department of Energy confirmed that two entities under its umbrella were affected by these attacks. A spokesperson for the U.S. Department of Agriculture (USDA) stated on June 16, 2023, that the department may have been hit by the Clop ransomware group. This potential breach investigation at the USDA had not been previously reported. The USDA spokesperson said, “USDA is aware of a possible data breach with a vendor that may impact a very small number of employees, and any employees whose data may have been affected will be contacted and provided support.” The Clop group had posted batches of victims over the preceding week but claimed to have deleted all government-related data.

Other federal agencies responded to inquiries about their status. Spokespeople for the Department of Labor, the Department of Education, and the Department of the Interior said they were not affected by the incidents. Both the State Department and the Defense Department declined to comment on whether they were impacted. Several other agencies did not respond to requests for comment. In response to the widespread impact on government agencies, House Energy and Commerce Chair Cathy McMorris Rodgers and Committee Ranking Member Frank Pallone asked for a briefing about the issue from the White House and the Department of Energy.

Multiple state-level organizations also announced breaches connected to the MOVEit vulnerabilities. State agencies in Illinois, Missouri, and Minnesota stated they were investigating potential data breaches related to MOVEit that were affecting thousands of people. The motor vehicle departments in both Oregon and Louisiana confirmed they were affected by the attacks. The state of Louisiana issued a statement saying that all Louisianans with a state-issued driver’s license, ID, or car registration had likely had their personal information accessed. This information included names, Social Security numbers, dates of birth, physical attributes, driver’s license numbers, and vehicle registration information. Oregon’s Department of Transportation confirmed that the personal information for approximately 3.5 million holders of Oregon IDs or driver’s licenses was affected by the breach. Their analysis identified multiple files shared via MOVEit Transfer that were accessed by unauthorized actors before the department received the security alert. The Oregon DOT stated they did not have the ability to identify if any specific individual’s data was breached and advised individuals who have an active Oregon ID or driver’s license to assume their information was part of this breach.

By June 17, 2023, it was reported that 63 victims had either been named by the Clop ransomware group or had come forward to announce breaches. The significant number of victims and the wide range of affected organizations, from federal agencies to state governments and private companies, indicated the extensive impact of the vulnerabilities. The personal data of millions of individuals was compromised in these attacks, including highly sensitive information such as Social Security numbers and driver's license details. The breach investigations were ongoing across multiple organizations, with many still working to determine the full scope of the data accessed by unauthorized actors.