MOVEit Data Breach Victims Sue Progress Software

Fallout for Progress Software continues over a massive data breach that appears to have affected hundreds of private and public sector organizations that use its MOVEit file transfer software.

See Also: OnDemand Webinar | Learn Why CISOs Are Embracing These Top ASM Use Cases Now

A handful of individuals affected by the breach have now filed a lawsuit, seeking class action status, against New Bedford, Massachusetts-based Progress Software. Plaintiffs Shavonne Diggs, Brady Bradberry and Christina Bradberry accuse Progress of having failed “to properly secure and safeguard” individuals’ personal data, leaving them at increased risk of identity theft.

The plaintiffs further accuse Progress of failing to notify affected individuals in a timely manner as well as failing “to both properly monitor and properly implement data security practices” that would have better protected personal data and may have enabled the organization to “have discovered the breach sooner.”

New York-based law firm Siri & Glimstad LLP, which is representing plaintiffs, filed the lawsuit Tuesday in Massachusetts federal court, as Bloomberg Law first reported.

Zero-Day Attack

Progress first publicly disclosed and patched the SQL vulnerability, tracked as CVE-2023-34362, on May 31.

Since then, the Clop ransomware group has claimed credit for exploiting the zero-day flaw in the MOVEit software, which allowed attackers to steal sensitive data tied to such organizations as British Airways, Shell and the U.S. Department of Energy.

Clop continues to threaten victims, demanding a ransom payment and leaking data for nonpayers, which are typical extortion tactics practiced by ransomware groups. Recent MOVEit victims claimed by the group include Sony and consultancies PwC and EY.

Multiple organizations have begun to notify affected individuals about breaches related to MOVEit, as required by states’ data breach notification rules.

Plaintiffs in the proposed class action lawsuit are all residents of Louisiana who were affected by the attackers stealing information from the state’s Office of Motor Vehicles. On June 15, the agency notified all residents who have a state-issued driver’s license, ID or car registration that the attack likely exposed their Social Security numbers, driver’s license numbers, vehicle registration information, birthdates and other personal details. “All Louisianans should take immediate steps to safeguard their identity,” the OMV warned.

Supply Chain Attacks

This isn’t the first time a ransomware group or even Clop has launched a supply chain attack involving widely used file transfer software. Earlier this year, Clop took credit for a large-scale attack campaign that exploited a zero-day vulnerability to steal data from customers of Fortra’s widely used managed file transfer software GoAnywhere MFT.

The GoAnywhere attacks appear to have begun on Jan. 25, and Fortra released a patch for the exploited vulnerability on Feb. 7. Since then, victims have collectively filed multiple proposed class action lawsuits in federal court against Fortra.

Security researchers at incident response firm Kroll said Clop appears to have known about the MOVEit vulnerability and had been experimenting with it via manual attacks since at least July 2021.

Kroll said automated “mass exploitation” of the flaw didn’t begin until May 27-28, in an attack campaign apparently timed to take advantage of the Memorial Day holiday weekend in the United States.

“The Clop threat actors potentially had an exploit for the MOVEit Transfer vulnerability prior to the GoAnywhere MFT secure file transfer tool exploitation … but chose to execute the attacks sequentially instead of in parallel,” Kroll’s researchers reported.

Was Only Clop Involved?

By exploiting the MOVEit vulnerability, Clop appears to have stolen sensitive data from hundreds of organizations, although questions are being raised about whether that ransomware group was the only gang targeting the zero-day flaw.

The BBC reported Wednesday that Clop had claimed to not possess stolen data for the BBC, Boots and British Airways – obtained via their U.K. payroll provider, Zellis – despite Zellis saying that information was stolen.

“We don’t have that data and we told Zellis about it. We just don’t have it,” Clop claimed to the BBC.

Experts say the criminal syndicate could be lying – it wouldn’t be the first time a ransomware group has done so – or perhaps another group of hackers was also exploiting the MOVEit zero-day flaw prior to it being patched. In a message to the BBC, Clop vehemently denied that any other attackers had exploited the vulnerability or used it to steal data.

Since the zero-day flaw exploited by Clop was identified and patched, Progress subsequently reported and fixed two more zero-day SQL injection vulnerabilities – CVE-2023-35708 on June 9 and CVE-2023-35036 on June 15.

A security researcher who uses the handle @MCKSysAr discovered the third zero day – and thought he had discovered a fourth. As Bloomberg reported, he later confirmed an assessment by Progress that the supposed fourth vulnerability was not a flaw, since the potential exploit is automatically blocked by the MOVEit software.