MOVEit maker: tweeting zero-day 'put our customers at risk'
Public disclosure 'did not follow normal industry standards', complains Progress Software
The tweet revealing a new vulnerability in MOVEit "put our customers at increased risk of exploitation," Progress Software said. It came after prior MOVEit vulnerabilities led to breaches at numerous government agencies and companies.
Progress criticised the public disclosure of the latest zero-day vulnerability in MOVEit by a third-party security researcher, whose tweet prompted the software firm to temporarily take down the cloud version of the file transfer tool last Thursday.
It was the fourth in a series of flaws to be discovered affecting MOVEit in recent weeks. The original vulnerability in MOVEit has led to data breaches at multiple federal and state government agencies, as well as numerous major companies.
Last week, an unnamed security researcher reportedly posted details about the zero-day MOVEit vulnerability on Twitter, without following the usual "responsible disclosure" process that involves informing the affected vendor and allowing for time to create a fix before sharing information publicly.
Since Progress did not have a chance to develop a patch for the vulnerability, the software vendor said it was forced to "take immediate action" by disabling its MOVEit Cloud platform. The vulnerability (tracked as CVE-2023-35708) impacts both MOVEit Cloud and MOVEit Transfer.
Progress Software said on Sunday that it hasn't seen evidence that the latest MOVEit vulnerability has been exploited. "Taking MOVEit Cloud offline for maintenance was a defensive measure to protect our customers and not done in response to any malicious activity," Progress said.
Still, the public disclosure heightened the risk to MOVEit customers, which have been scrambling to patch their systems amid widespread attacks by a cybercriminal group.
"A third party publicly disclosed a vulnerability impacting MOVEit Transfer and MOVEit Cloud in a way that did not follow normal industry standards, and in doing put our customers at increased risk of exploitation," Progress said in its post on Sunday.
The company did not identify the researcher, but Bloomberg reported that the researcher posted the vulnerability using the Twitter handle @MCKSysAr. The researcher's name was not shared in the article.
According to the Bloomberg report, the researcher didn't initially realize they had posted a zero-day vulnerability. In a subsequent post, the researcher tweeted, "I guess that I just dropped a 0 day here." The researcher reportedly told Bloomberg that they opted to not delete their tweets because the information was already circulating.
Progress said it has now applied a fix for the latest vulnerability to MOVEit Cloud, and the firm has made the patch available to customers of MOVEit Transfer.
MOVEit breaches pile up
The original MOVEit vulnerability (tracked as CVE-2023-34362) has seen wide exploitation by the Clop cybercriminal group in recent weeks. The flaw can enable escalation of administrative privileges and unauthorised access, Progress has said.
Multiple US government agencies have been compromised in the attacks, according to CISA. At least two Department of Energy facilities — including a storage site for radioactive waste in New Mexico — have reportedly been among the victims. State agencies including the Louisiana Office of Motor Vehicles and the Oregon Driver and Motor Vehicles division have confirmed that sensitive data, including driver's licence files, has been stolen in the attacks.
Other confirmed victims of the attacks have included Johns Hopkins University and Health System, British Airways, the BBC and the Government of Nova Scotia. Companies including Shell and Ernst and Young are investigating a potential data breach.
This article first appeared on CRN.