Maryland joins states affected by MOVEit vulnerability

The Maryland Department of Human Services confirmed over the weekend that it, too, is among the growing count of state government agencies to be snagged up in a global cyberattack targeting the popular file-transfer software MOVEit.

According to the Saturday announcement, the agency was affected through a third-party vendor that uses MOVEit, which was attacked May 31 when actors affiliated with the Cl0p ransomware gang began exploiting a previously unknown vulnerability in the file-transfer platform. Maryland officials said there is “no current indication” that any stolen data has been sold or published on an extortion site, nor has the state been contacted by the malicious actors.

Gov. Wes Moore has asked the state Department of Information Technology to investigate the extent of the MOVEit breach and to determine if any other Maryland agencies have been affected. The Department of Human Services is the state’s primary social services agency, and provides child and adult protective services, nutrition assistance, refugee resettlement and legal aid.

MOVEit’s publisher, Progress Software, has confirmed three new vulnerabilities since the start of the month and has issued patches. Still, the number of organizations around the world compromised by the Cl0p hacking campaign continues to grow. Several other state governments — including Colorado, Minnesota, Illinois, Missouri, Louisiana and Oregon — have confirmed incidents involving a range of agencies, including drivers’ services, education departments and Medicaid programs.

Multiple federal agencies have also been affected, including the Department of Energy and the Office of Personnel Management.

The Cl0p group has started posting tranches of data stolen from corporate victims of the MOVEit breach on its extortion site, though the site states it has not stolen any files from government customers of the file-transfer tool.