In June 2023, a critical vulnerability (CVE-2023-34362) was discovered and exploited in MOVEit Transfer, a widely used file transfer application deployed across government agencies and healthcare organizations globally. Canadian government agencies and healthcare providers using MOVEit Transfer were significantly impacted, with exposure of sensitive data including 3.4 million birthing records from the Better Outcomes Registry & Network (BORN) Ontario. The incident demonstrated how a single critical vulnerability in widely-deployed software can cascade across entire sectors, affecting millions of citizens.
About MOVEit Transfer
MOVEit Transfer is a secure file transfer application developed by Progress Software used by thousands of organizations globally to manage secure file transfers. Government agencies, healthcare organizations, financial institutions, and other enterprises rely on MOVEit Transfer for secure exchange of sensitive documents and data. The application is ubiquitous in Canadian government and healthcare sectors for inter-agency and inter-organizational file transfers.
The CVE-2023-34362 Vulnerability
In June 2023, a critical remote code execution (RCE) vulnerability was identified in MOVEit Transfer. The vulnerability allowed unauthenticated threat actors to:
- Gain unauthorized access to MOVEit Transfer instances
- Execute arbitrary code on affected systems
- Access files stored in MOVEit Transfer repositories
- Exfiltrate sensitive data
- Establish persistent access to affected systems
Progress Software released patches addressing the vulnerability, but many organizations did not immediately update their systems, leaving them vulnerable to exploitation.
Canadian Government Impact
Multiple Canadian government agencies were impacted by the CVE-2023-34362 vulnerability:
- BORN Ontario (Better Outcomes Registry & Network) - 3.4 million birthing records exposed
- Provincial health agencies across multiple provinces
- Federal government departments using MOVEit for secure file transfer
- Local government agencies and municipalities
- Public health organizations and disease surveillance systems
The BORN Ontario Incident
The most significant Canadian impact came from the compromise of BORN Ontario, the provincial birthing registry containing detailed records of approximately 3.4 million Ontario births. The exposed data included:
- Mother and infant names and dates of birth
- Hospital and delivery information
- Health conditions and complications during delivery
- Newborn health information and test results
- Healthcare provider information
- Family contact information
The exposure of detailed birthing records raised particular privacy concerns given the intimate health information involved and the vulnerability of children whose information was compromised.
Threat Actors and Exploitation
Multiple threat actors, including the Cl0p ransomware gang, rapidly exploited the CVE-2023-34362 vulnerability. Threat actors conducted mass scanning of the internet to identify vulnerable MOVEit instances and exploited them to exfiltrate data. The vulnerability proved especially dangerous because:
- Exploitation required no authentication or user interaction
- Automated tools could rapidly identify and exploit vulnerable instances
- Data exfiltration could occur without detection in many cases
- Organizations may not have noticed compromise for weeks or months
Response and Remediation
Canadian government and healthcare organizations responded rapidly to the CVE-2023-34362 vulnerability:
- Canadian Centre for Cyber Security issued urgent advisories
- Government agencies prioritized patching of MOVEit instances
- Healthcare organizations implemented emergency updates
- Affected organizations notified impacted citizens of data exposure
- Forensic investigations determined scope of compromises
- Enhanced monitoring of MOVEit instances for suspicious activity
Broader Vulnerability Implications
The MOVEit vulnerability highlighted critical lessons about software vulnerabilities in critical infrastructure:
- Zero-day and recently-disclosed vulnerabilities in widely-used software pose enterprise-wide risks
- Supply chain vulnerabilities through third-party applications can compromise entire sectors
- Patch management must be rapid for critical vulnerabilities in mission-critical applications
- Organizations must maintain awareness of security vulnerabilities in deployed applications
- Automated patching and update mechanisms are essential for government and healthcare
- Network segmentation can limit damage from compromised file transfer applications
Defense Strategies
The MOVEit incident prompted several defensive improvements across Canadian government and healthcare:
- Implementation of automated patch management for critical applications
- Enhanced vulnerability scanning to identify outdated software
- Network segmentation to isolate file transfer applications
- Access controls limiting data accessible through file transfer systems
- Monitoring for suspicious file access and exfiltration
- Rapid incident response procedures for critical vulnerabilities
- Vendor security assessment and evaluation before deployment