After discovered after a recent security vulnerability audit CVE-2023-35036 (dated 9 June) and CVE-2023-34362 dated May 31, Progress Software, the parent company of developers MOVEit Transferwarned all clients of the platform about limiting everything http– access to their environments after information about another one appeared on the Internet earlier service vulnerabilities using the SQL injection method (SQLi).

A fix for the new critical security bug is not yet available, but it is currently being tested and will be released “soon” according to the company.

Until security updates are released for the affected software versions, Progress Software “strongly” recommends that field administrators change their firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 as a temporary workaround.

Even if users can no longer log into their accounts through the web interface, file transfer will still be available as long as the SFTP and FTP protocols continue to work properly.

Administrators can also access MOVEit Transfer by connecting to a Windows server via Remote Desktop and then connecting via localhost.

While Progress Software specialists are desperately trying to close all the holes in their MFT service, Clop hackers, who managed to successfully kidnap the data of a huge number of companies, due to the zero-day vulnerability of MOVEit Transfer, is actively blackmailing companies.

Previously we have already reported that on June 7, Clop issued an ultimatum to companies affected by the data breach. The organizations affected by the attack had to independently contact the extortionists before June 14, otherwise the hackers promised to leak their data to the network without the possibility of an agreement.

Yesterday, members of the Clop gang listed 13 companies on their data breach site, but did not indicate whether they were associated with MOVEit Transfer attacks or were ransomware encryption attacks. Among those affected: the fuel giant ShellUniversity of Georgia in the USA and investment fund Putnam. The list also includes a number of US banks and organizations in the Netherlands and Switzerland.

Shell representatives already stated that they are not going to negotiate with the gang’s hackers. Apparently, the company has held a grudge since the last time the Clop extortionists hacked Accellion FTA in 2021 and also got access to Shell data.

British provider of payroll and HR solutions Zellis one of the very first confirmed which was subjected to a data breach that also affected some of its clients, including companies BBC, british airways and pharmacy network Boots.

Johns Hopkins this week also confirmed a cybersecurity incident allegedly linked to a massive MOVEit hack. The university said in a statement that the data breach “may have affected the personal and financial information” of university students and staff, including names, contact information and medical billing records.

Ofcomthe British communications regulator, also reported that a massive MOVEit hack compromised some sensitive information. The regulator’s statement confirmed that hackers gained access to some data about companies it regulates, along with the personal information of 412 Ofcom employees.

According to British media, the Clop attack also affected: Transport for London, the government body responsible for managing London’s transport services; and global consulting firm Ernst and Young.

Many more victims are expected to be identified in the coming days and weeks as thousands of MOVEit servers, most of which are located in the United States, can still be found on the Internet using special tools.