The first victims to come forward included UK-based payroll and HR company Zellis (its customers British Airways, Aer Lingus, the BBC, and Boots were also hit), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).
The list of organizations that have confirmed being hit continues to grow. Johns Hopkins University and Johns Hopkins Health System, UK media watchdog Ofcom, and a Missouri state agency have issued statements related to the incident in recent days.
CNN reported on Thursday that several US federal government agencies were also hit, according to Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). The list includes the Department of Energy, which has taken steps to mitigate the impact of the hack.
The cybercriminals claim they are only trying to get a ransom from businesses and that all the government data they have obtained has been deleted.
In the meantime, MOVEit developer Progress Software has informed customers about another new vulnerability, one that “could lead to escalated privileges and potential unauthorized access to the environment”. The vendor has released patches, but a CVE identifier has yet to be assigned.
“We took HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and asked all MOVEit Transfer customers to take down their HTTP and HTTPs traffic to safeguard their environments while a patch was created and tested,” Progress explained in an advisory.
This comes less than a week after Progress announced the release of patches for CVE-2023-35036, new SQL injection vulnerabilities discovered by researchers during the analysis of the zero-day flaw.
The newer vulnerabilities do not seem to have been exploited in the wild.
Related: Barracuda Zero-Day Attacks Attributed to Chinese Cyberespionage Group
Related: Chinese Cyberspies Caught Exploiting VMware ESXi Zero-Day
