Progress criticized the public disclosure of the latest zero-day vulnerability in MOVEit by a third-party security researcher, whose tweet prompted the software firm to temporarily take down the cloud version of the file transfer tool last Thursday.
It was the fourth in a series of flaws to be discovered affecting MOVEit in recent weeks. The original vulnerability in MOVEit has led to data breaches at multiple federal and state government agencies, as well as numerous major companies.
Last week, an unnamed security researcher reportedly posted details about the zero-day MOVEit vulnerability on Twitter, without following the usual “responsible disclosure” process that involves informing the affected vendor and allowing for time to create a fix before sharing information publicly.
Since Progress did not have a chance to develop a patch for the vulnerability, the software vendor said it was forced to “take immediate action” by disabling its MOVEit Cloud platform. The vulnerability (tracked at CVE-2023-35708) impacts both MOVEit Cloud and MOVEit Transfer.
Progress said Sunday that it hasn’t seen evidence that the latest MOVEit vulnerability has been exploited. “Taking MOVEit Cloud offline for maintenance was a defensive measure to protect our customers and not done in response to any malicious activity,” Progress said.
Still, the public disclosure heightened the risk to MOVEit customers, which have been scrambling to patch their systems amid widespread attacks by a cybercriminal group.
“A third party publicly disclosed a vulnerability impacting MOVEit Transfer and MOVEit Cloud in a way that did not follow normal industry standards, and in doing put our customers at increased risk of exploitation,” Progress said in its post Sunday.
The company did not identify the researcher, but Bloomberg reported that the researcher posted the vulnerability using the Twitter handle @MCKSysAr. The researcher’s name was not shared in the article. CRN has messaged the researcher on Twitter to ask for comment.
According to the Bloomberg report, the researcher didn’t initially realize they had posted a zero-day vulnerability. In a subsequent post, the researcher tweeted, “I guess that I just dropped a 0 day here.” The researcher reportedly told Bloomberg that they opted to not delete their tweets because the information was already circulating.
Progress said it has now applied a fix for the latest vulnerability to MOVEit Cloud, and the firm has made the patch available to customers of MOVEit Transfer.
MOVEit Breaches Pile Up
The original MOVEit vulnerability (tracked at CVE-2023-34362) has seen wide exploitation by the Clop cybercriminal group in recent weeks. The flaw can enable escalation of administrative privileges and unauthorized access, Progress has said.
Multiple U.S. government agencies have been compromised in the attacks, according to CISA. At least two Department of Energy facilities — including a storage site for radioactive waste in New Mexico — have reportedly been among the victims. State agencies including the Louisiana Office of Motor Vehicles and the Oregon Driver and Motor Vehicles division have confirmed that sensitive data, including driver’s license files, has been stolen in the attacks.
Other confirmed victims of the attacks have included Johns Hopkins University and Health System, British Airways, the BBC and the Government of Nova Scotia, according to the Bloomberg report. Companies including Shell and Ernst and Young are investigating a potential data breach, according to the report.