As the consequences of the Clop ransomware gang’s MOVEit attack unfold, two new victims, namely The Minnesota Department of Education in the US and UK telecom regulator Ofcom have emerged. To add fire to the fuel, researchers have also discovered two additional flaws in the software suite.
The Minnesota Department of Education revealed quite a lot of details about the attack, stating that it was informed of the vulnerability on May 31, the same day as “an outside entity” accessed 24 files on the department’s MOVEit server. The compromised files included data transferred to the department from the Minnesota Department of Human Services to meet state and federal reporting requirements. Other files accessed included data from the school districts of Minneapolis and Perham as well as the Hennepin Technical College.
Overall, the leaked data included roughly 95,000 students’ names that were placed in foster care across the state, 124 students in the Perham School District who qualified for the Pandemic Electronic Benefits Transfer, 29 students who were taking PSEO classes at Hennepin and five students from a particular Minneapolis Public School’s bus route.
These files included student names, birthdays, parents’ or guardians’ names and home addresses of some students as well. Additionally, PSEO participants’ high school and college transcripts information and the last four digits of their social security number were also exposed. The department however maintains that no financial data was stolen.
As for Ofcon, their statement says that the company lost a “limited amount of information about certain companies” that the service provider regulates, some of the data being confidential. The personal data of 412 Ofcom employees was also downloaded during the attack. No Ofcom systems were affected during the attack according to the company.
Additional vulnerabilities discovered by Progress
Two new vulnerabilities have also been discovered by Progress with the help of cybersecurity firm Huntress. These new vulnerabilities are tracked as
- CVE-2023-35036: The exploit allows an attacker to submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content.
- CVE-2023-34362: Depending on the database engine being used, an attacker may be able to extract information about the structure and contents of the database as well as execute SQL queries that alter or delete database elements.
They’re distinct from the initial vulnerabilities and have already been patched as of June 9. Research into the aforementioned vulnerabilities and possibly more is still ongoing. Progress reports that there’s no evidence of the vulnerabilities being exploited in the wild yet. However, with Clop reportedly having knowledge of the initial vulnerabilities since 2021,
In the News: 7000 subreddits protesting API change causes Reddit blackout
