(Bloomberg) -- John Hammond, a senior researcher at the cybersecurity firm Huntress, had already lost a few nights of sleep when someone he’d been messaging with privately over Twitter delivered a bombshell.
The person, who declined to provide his name but describes himself as an exploit writer, told Hammond on June 15 that he had inadvertently stumbled upon a new zero-day vulnerability in MOVEit file-transfer software — the type of flaw that doesn’t have a fix, or patch, leaving users vulnerable to hackers. What’s more, the anonymous researcher publicly shared details about the flaw on Twitter — a potentially disruptive move that could’ve enabled attackers to exploit the vulnerability before the software owner could respond.
This was not the standard practice of cybersecurity researchers. They generally give organizations notice about such flaws before going public in an effort to avoid aiding bad actors. (The US Department of Homeland Security says that it gives organizations 45 days to respond to vulnerability reports before a public disclosure.)
It stood to exacerbate what was already a crisis over MOVEit, the software at the center of an ongoing hacking campaign by a Russian-speaking criminal group called Clop that exploited a different, zero-day flaw to access files from at least dozens of companies and organizations. The researcher’s discovery ended up adding to the woes of Progress Software Corp., the company behind MOVEit software.
Progress had already issued a patch soon after it discovered the initial zero-day flaw exploited by Clop. And based on a tip from Huntress, issued another fix to a second zero-day earlier this month, Hammond said.
Read More: Clop Gang Wreaked Havoc Long Before MOVEit Hacking Spree (1)
Now there was a third. In a private message on Twitter, the anonymous researcher told John he had realized what he had discovered was a zero-day event, according to screenshots of the thread shared with Bloomberg News. The researcher, a self-described exploit writer and “white-hat” hacker — someone who finds and reports flaws rather than exploiting them — capped the note off with an emoji of an astonished face.
Hammond, who had spent recent days helping Huntress customers affected by the breach, said he tested the researcher’s method and concluded it was, in fact, another zero-day flaw. But by then, the researcher had already posted his discovery on Twitter.
Read More: How Clop-MOVEit Hack Shows Evolution in Cyberattacks: QuickTake
Hammond responded to the researcher with an emoji face covered in sweat and asked that the Tweet be removed, according to the screenshots. The discovery was circulating on Slack too, he said. Hammond said he informed Progress of the new vulnerability in its code. The company was eventually forced to disable its MOVEit cloud services and urged customers to take down their own MOVEit servers. By the next day, a patch had been issued.
‘The Usual Process’
“At this time, we have not seen any evidence that this vulnerability has been exploited,” Progress spokesperson John Eddy said. “Across the industry, this type of software vulnerability is discovered tens of thousands of times a year and the usual process is to responsibly notify companies directly in order to limit risk, rather than posting about them publicly as occurred here.”
The zero-day was discovered as part of a normal, post-hack forensic process in which researchers reverse-engineer a breach to try to figure out what happened. During that process, they may discover new zero-day flaws in the software, but normally don’t publish it until the vendor has had a chance to issue a patch, Hammond said.
Read More: Energy Department Receives Ransom Request from Cyber Hackers
“Bottom line is that no one should’ve exposed this vulnerability until the mitigation had been posted, and certainly not posting any proofs of concept or discussions about how to exploit, as appears to have been done in this case,” said Tom Marsland, vice president of technology and technical services at Cloud Range Cyber, a cybersecurity training company.
Reached through Twitter, the anonymous researcher confirmed details of the exchange, and that he is based in Argentina. He said he didn’t initially realize he was tweeting a zero-day flaw.
The researcher, who goes by the Twitter handle @MCKSysAr, told Bloomberg he was trying to replicate and publish the method for the second zero-day found by Huntress, which had already been patched, in order to share information about that fixed vulnerability and to get ideas about how it was used to attack.
Except that the bug turned out to be new, the researcher said.
The researcher didn’t take down his post on Twitter, however, saying he figured it was too late. He said he didn’t realize he had found a zero-day until about 12 hours after he had made it public.
The researcher, who said he usually reports zero-days to vendors, said he also found a fourth MOVEit zero-day vulnerability on Friday and privately asked Hammond to pass it on to Progress — which screenshots confirm. Progress declined to comment on the claim, but a spokesperson for the company said it responsibly discloses and develops patches for critical known vulnerabilities and takes other appropriate measures to update customers.
The researcher said he didn’t mean to publicize an unpatched vulnerability, according to the screenshots. Even so, he had a request for Hammond: If Hammond did end up reporting the bug, the researcher said, don’t forget to mention him.
--With assistance from Jesse Levine.
©2023 Bloomberg L.P.