Security News > 2023 > June > UK telco watchdog Ofcom, Minnesota Dept of Ed named as latest MOVEit victims

UK telco watchdog Ofcom, Minnesota Dept of Ed named as latest MOVEit victims
2023-06-13 06:28

Two more organizations hit in the mass exploitation of the MOVEit file-transfer tool have been named - the Minnesota Department of Education in the US, and the UK's telco regulator Ofcom - just days after security researchers discovered additional flaws in Progress Software's buggy suite.

Ofcom disclosed this week it is among the businesses and public bodies that have had their internal data stolen by crooks exploiting a MOVEit flaw.

"A limited amount of information about certain companies we regulate - some of it confidential - along with personal data of 412 Ofcom employees, was downloaded during the attack," Ofcom revealed in a statement yesterday.

An Ofcom spokesperson declined to answer any additional questions about the attack - including what specific data was stolen, who is responsible for the attack, and whether the intrusion occurred in an Ofcom-run MOVEit instance, or at a third party.

MDE director of communications Kevin Burns told The Register that the department believes the attack exploited the initial MOVEit vulnerability, CVE-2023-34362, which Progress patched on May 31.

"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content," according to the MITRE description of the new CVE. Progress has since patched CVE-2023-35036.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/06/13/ofcom_minnesota_moveit/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-06-12 CVE-2023-35036 SQL Injection vulnerability in Progress Moveit Transfer
In Progress MOVEit Transfer before 2021.0.7 (13.0.7), 2021.1.5 (13.1.5), 2022.0.5 (14.0.5), 2022.1.6 (14.1.6), and 2023.0.2 (15.0.2), SQL injection vulnerabilities have been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database.
network
low complexity
progress CWE-89
critical
 9.1
9.1
2023-06-02 CVE-2023-34362 SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.
network
low complexity
progress CWE-89
critical
 9.8
9.8