Progress Software discovered a new MOVEit Transfer vulnerability, the company said in an advisory Thursday, marking the third since Progress disclosed a zero day associated with its managed file transfer services on May 31. The first vulnerability, CVE-2023-34362, was followed by a second, CVE-2023-35036, last week. 

Progress is encouraging all MOVEit Transfer customers to take immediate steps to address the new privilege escalation vulnerability, CVE-2023-35708, including measures to immediately disable all HTTP and HTTPs traffic to MOVEit transfer environments until organizations can apply the patch. 

“As we continue to investigate the issue related to MOVEit Cloud and MOVEit Transfer that we previously reported, an independent source has disclosed a new vulnerability that could be exploited by a bad actor,” a MOVEit spokesperson told Cybersecurity Dive in an emailed statement. “At this time, we have not seen indications that this new vulnerability has been exploited. We have developed a patch to address this issue and are communicating with customers on the steps they need to take to further harden their environments.”

The advisory came just after officials from the Cybersecurity and Infrastructure Security Agency disclosed a "small number" of federal agencies were impacted by the campaign, which CISA attributes to the Clop ransomware gang. 

Yet there is an opportunity for more compromise. Once vulnerabilities are disclosed, exploitation can become a bit of a race, experts say. When zero-days exploits become public, threat actors from around the world quickly move to target them, according to Rick Holland, CISO, office of the CISO, at ReliaQuest in an emailed statement to Cybersecurity Dive.

"If I were running MOVEit software, this new vulnerability would further justify taking the MOVEit services offline," he said. "Given the velocity of these vulnerabilities, the attention and risks are too high to take a chance on additional vulnerabilities coming out. I would seek an alternative solution while Progress continues its investigation and code reviews."

CISA considers the campaign largely opportunistic and not widespread, though several hundred victims have come forward and Clop has begun to release victim names on its leak site. 

"Although we are very concerned about this campaign and working on it urgently, this is not a campaign like SolarWinds that presents a systemic risk to our national security," CISA Director Jen Easterly said on a press call Thursday. CISA did not respond to requests for comment about the newly disclosed vulnerability by publication time.

While it is unclear which MOVEit vulnerabilities Clop leveraged to compromise federal agency service, "the longer known vulnerabilities remain unmitigated, the higher the chances multiple threat actors exploit them," Holland said. 

Sharon Martin, a product architect at Huntress, says it's likely that most impacted federal agencies were compromised in the original vulnerability. "We've seen a delay from compromise until public ransom demand announcements, possibly as the threat actor is attempting private contact about ransom before going public," Martin said. 

More organizations compromised

Clop claims it has exploited hundreds of organizations and many have started to come forward to disclose a breach. Emsisoft Threat Analyst Brett Callow said there are 63 known and confirmed victims as of Friday, plus an unspecified number of U.S. government agencies. 

The Louisiana Office of Motor Vehicles said "all Louisianans with a state-issued driver’s license, ID, or car registration" have likely had some data exposed, including their names, addresses, social security numbers and vehicle registration numbers, the governor's office said Thursday in a statement. 

The Oregon Department of Transportation also had data accessed as part of the campaign, including the information of approximately 3.5 million Oregon ID and driver's license holders.

"Our analysis identified multiple files shared via MOVEit Transfer that were accessed by unauthorized actors before we received the security alert," the department said in a statement Thursday. "We do not have the ability to identify if any specific individual’s data has been breached."

Reports surfaced of impact to federal agencies Thursday, including the Energy Department. DOE did not respond to requests for comment by publication time.

"As far as we know, these actors are only stealing information that is specifically stored on the file transfer application at the precise time that the intrusion occurred," Easterly said. The intrusions are not being leveraged to gain access to targeted systems or to steal specific, high-value information, she said.

CISA is not aware of any impacts to military branches and no federal agency has received an extortion demand, nor has federal data been leaked, an official said. At this point, CISA is not aware of any federal agencies running unmitigated instances of MOVEit. 

ReliaQuest's Holland suspects that Clop won't announce any government data on its leak site, because publicly going after government agencies can increase the risks to extortionists. 

According to Holland, Clop wrote in its announcement last week, "If you are a government, city or police service do not worry we erased all your data. You do not need to contact us. We have no interest to expose such information."

More than 3,000 MOVEit hosts were exposed to the internet before the first vulnerability was disclosed or patched, according to Censys. But the proliferation of MOVEit Transfer applications exposed to the public internet does not necessarily mean that many organizations are compromised. 

A senior CISA official emphasized that use of the MOVEit application is not indicative of vulnerability or compromise. 

Of those organizations running MOVEit, nearly one-third were from the financial services industry, 16% were in healthcare, 9% in information technology and 8% in the government or military, according to Censys research

"Based on how our data is collected and the visibility we have, we're able to see hosts on the internet running MOVEit, but we have no way to determine whether they've been targeted or compromised," said Emily Austin, security research manager and senior researcher at Censys, in an emailed statement. 

Yet, Censys was able to determine more than 60 of the hosts were U.S. federal and state organizations. 

Huntress is unaware of the total scope of the affected victims beyond what was shared publicly or posted on the dark web. However, Martin did note that MOVEit adheres to the Federal Information Processing Standards, so it likely has a prevalent user base across "government, financial, educational, and other industries that need a FIPS 140-2 compliant file transfer solution."

Thus far, CISA's assessment is that the majority of intrusions occurred in the days shortly after the incident was disclosed at the end of May, as the threat actor moved quickly to compromise vulnerable organizations before they could deploy mitigations.

The agency moved quickly to limit the federal exposure to the MOVEit campaign, an official said, which resulted in the mitigation of many vulnerable instances before intrusion occurred. In instances where CISA identified federal organizations running vulnerable versions of the application, mitigations were applied.