HC3 warns sector of critical MOVEit cybersecurity vulnerabilities

The HHS Health Sector Cybersecurity Coordination Center (HC3) alerted the healthcare sector to two critical cybersecurity vulnerabilities in Progress Software’s MOVEit managed file transfer platform, identified in June 2024. The latest vulnerabilities are different from those exploited by Clop ransomware group in 2023.

The latest vulnerabilities (CVE-2024-5805 and CVE-2024-5806) affect certain versions of the MOVEit Gateway and MOVEit Transfer and may allow for authentication bypass.

“Progress, the company that owns and operates the MOVEit platform, has released patches to fix this vulnerability,” HC3 noted.

“However, exploit code is also available to the public, and this vulnerability is being actively targeted by cyber threat actors. All healthcare organizations are strongly urged to identify any vulnerable instances of MOVEit that exist in their infrastructure and patch them as a high priority.”

HC3 stressed the importance of patching these vulnerabilities, referring to them as “inherently egregious” vulnerabilities. Additionally, past MOVEit vulnerabilities were exploited at a large scale by threat actors last year, making them an enticing exploit.

In June 2023, the Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint cybersecurity advisory regarding Clop ransomware group’s exploitation of a SQL injection flaw in the MOVEit Transfer software.

Over the course of the next few months, organizations across a variety of sectors began notifying consumers of breaches stemming from the exploitation of the MOVEit Transfer vulnerability.

For example, healthcare software company Welltok notified 8.5 million individuals of a breach stemming from the MOVEit hack. Additionally, the Colorado Department of Health Care Policy & Financing (HCPF) notified more than 4 million individuals of a breach that originated at IBM, which had used the MOVEit software on behalf of HCPF. IBM also notified the Missouri Department of Social Services of the same incident. Dozens of other organizations reported breaches stemming from the 2023 MOVEit hack.

Considering the far-reaching impact of the past vulnerabilities, HC3 urged healthcare organizations to prioritize patching.

The American Hospital Association (AHA) also encouraged healthcare organizations to take note of the latest vulnerabilities.

“This vulnerability is especially serious as MOVEit is commonly used throughout the health care sector and government to transfer sensitive data such as protected health information. Last year, the Russian ransomware group known as Cl0P successfully exploited vulnerabilities in MOVEit to steal the health care records of tens of millions of Americans,” said John Riggi, AHA national advisor for cybersecurity and risk.

“This was a prime factor that contributed to the record number of health care records stolen in 2023. That number — 136 million — was 300% higher than in 2022. The identified critical vulnerabilities in MOVEit are another stark example of how hospitals and health systems are exposed to significant cyber risk through insecure third-party technology and service providers.”  

Prioritizing swift patching can help healthcare organizations greatly reduce the risk of these vulnerabilities.