MOVEit Vulnerability Yields Another 4 Million Breached Records

August 16, 2023 Alex Woodie

A zero-day security vulnerability in the MOVEit file transfer software discovered in late spring has been wreaking havoc across American companies this summer. The latest victims are people signed up for Colorado’s version of Medicaid, who had their data compromised when cybercriminals used the flaw to access their data in the IBM Cloud.

The Colorado Department of Health Care Policy & Financing (HCPF) recently notified customers that a security incident took place that resulted in unauthorized actors having access to the protected health information of members involved in two of its programs, including Health First Colorado, which is the state’s version of Medicaid, and CHP+ members.

Progress Software, the owner of the MOVEit Transfer software, on May 31 announced a zero-day security flaw was discovered in the software. The flaw, which is characterized as a SQL injection vulnerability, was labeled as CVE-2023-34362. Over the ensuing months, several more CVEs were released.

Soon after the flaw was unveiled, IBM, which uses MOVEit Transfer software to move HCPF files in the normal course of business, notified HCPF that it was impacted by the vulnerability. The state agency then initiated an investigation to see the extent of the damage.

“While HCPF confirmed that no HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023,” the agency said.

The breach impacted more than four million customers, according to a story in Bleeping Computer. IT Jungle has not confirmed that number.

IBM and HCPF were not the only organizations to suffer from the MOVEit breach, which is reportedly being perpetrated by the cl0p ransomware gang. According to an analysis by Emsisoft, a provider of anti-malware software, there have been more than 668 organizations impacted, resulting in more than 46 million compromised records.

Other organizations impacted include Maximus, a Virginia-based government services company, which had 11 million records compromised; the Louisiana Office of Motor Vehicles, which lost control of 6 million records; the Oregon Department of Transportation, which had 3.5 million records compromised; and Genworth, a Southern California financial firm, which lost control of 2.5 million records.

The flaw has highlighted the interconnected nature of modern IT systems, and how the impacts of a single security flaw can flow from one company to another, according to Reuters. For example, the security flaw in systems run by Pension Benefit Information in turn yielded sensitive data held by the Teachers Insurance and Annuity Association of America, the news agency reported.

“Hacks by groups like cl0p occur with a numbing regularity,” Reuters reporters Raphael Satter and Zeba Siddiqui write. “But the sheer variety of victims of the MOVEit compromise, from New York public school students to Louisiana drivers to California retirees, have made it one of the most visible examples of how a single flaw in an obscure piece of software can trigger a global privacy disaster.”

The MOVEit flaw doesn’t appear to impact IBM i. But it’s similar in some respects to another flaw in Fortra’s GoAnywhere MFT file transfer software, which did impact IBM i. When you consider that these sorts of vulnerabilities in file transfer products appear to be happening with greater regularity, and that IBM i itself has been subject to a number of security flaws this summer, a greater degree of vigilance may be in order.

RELATED STORIES

Midsummer Security Indicators: Hot and Gloomy

Zero-Day Vulnerability in Fortra’s GoAnywhere MFT Being Actively Exploited