HHS Urges Patch of MOVEit Vulnerability, as Company Finds More Security Flaws

By Jessica Davis

Following the disclosure of a critical vulnerability in the Progress Software MOVEit Transfer application, the company uncovered additional security flaws that could also be used by threat actors to exploit the targeted system. A total of three critical vulnerabilities have been uncovered this month.

The latest bug is an SQL injection flaw that could enable an unauthenticated threat actor to escalate privileges and gain unauthorized access to the environment. The vulnerability was serialized with two separate CVEs: CVE-2023-35708 and CVE 2023-35036.

Progress Software has since issued a software update and is urging clients to apply the provided patch.

The MOVEit software is used by multiple healthcare sector entities, including hospitals, clinics, and health insurance groups, according to a new Department of Health and Human Services Cybersecurity Coordination Center alert.

An exploit could enable an attacker to submit a crafted payload to the application endpoint, which could lead to the modification and disclosure of database content. For healthcare entities, this could lead to the theft or exposure of medical records, bank records, social security numbers, and addresses.

The Clop ransomware group’s ongoing targeting and exploits of the MOVEit vulnerabilities also put these entities at risk of extortion. As seen with reports in the last week, including the exposure of Nova Scotia Health data, the risk to health entities is not just a hypothetical concern.

Multiple local, state, and federal agencies reported falling victim to cyberattacks deployed against the MOVEit transfer vulnerabilities, including two Department of Energy branches. The current number of impacted entities across all sectors is currently unknown, but the Clop ransomware group has claimed a majority of these attacks. Targeted sectors include energy, healthcare, and financial services.

The education sector has also been hard hit by the exploits, with Johns Hopkins University in Baltimore and its renowned health system reporting that sensitive personal and financial information, including health billing records, were potentially stolen after the hack of the MOVEit application. The University of Georgia school system is investigating an attack on their network, as well.

Meanwhile, millions of Oregon and Louisiana residents were warned their identities were at risk, after threat actors gained access to the states’ transportation departments through the vulnerability and stole data including names, contact details, and Social Security numbers.

“I don’t believe we’ve seen the full exploitation thrust of this vulnerability in the health sector, “ said First Health Advisory CEO Carter Groome. “We remain on high alert for MOVEit IOCs.”

HC3 is urging healthcare entities currently using MOVEit to take immediate action, in addition to applying all updates outlined by Progress Software.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15 CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” Progress Software officials warned. Those that have not yet applied the remediation to the initial bug are urged to do so immediately or disable all HTTP and HTTPs traffic to the transfer application environment to prevent exploit.

HC3 also recommends healthcare entities utilize free resources from the Cybersecurity and Infrastructure Security Agency’s Stop Ransomware, HHS 405(d), and the Health-ISAC, which support the proactive and reactive measures for healthcare entities.

“The probability of cyber threat actors targeting the healthcare industry remains high,” HC3 warns. “Prioritizing security by maintaining awareness of the threat landscape, assessing their situation, and providing staff with tools and resources necessary to prevent an cyberattack remains the best way forward for healthcare organizations.”