The exploitation of MOVEit’s zero-day vulnerability is shaping up to be the biggest cybersecurity story of the summer. The MOVEit breach serves as a reminder that managing risks requires more than just good in-house cybersecurity practices. The vendors you work with and their security practices (and the security practices of their vendors) are just as important.
Overview & Timeline
MOVEit is a managed file transfer product offered by Progress Software. It encrypts files and uses FTP to transfer data. It’s a popular tool in the healthcare industry as well as in thousands of offices in the tech and financial services sectors. Many government agencies also use MOVEit.
On or around May 31, 2023, a zero-day vulnerability in MOVEit was exploited by hackers. The vulnerability allowed an attacker to access MOVEit Transfer and MOVEit Cloud without authenticating.
Upon discovery of the vulnerability, Progress Software alerted its customers and provided mitigation steps. The company also released a security patch.
On June 7, Clop, a cyber gang believed to be based in Russia, announced that it had gained access to MOVEit’s transactions through the vulnerability. Clop has a history of exploiting flaws in other file transfer protocols, including Fortra’s GoAnywhere and Accellion’s application. The attackers said that organizations using MOVEit had until June 14 to contact Clop and pay a ransom to prevent stolen data from being published.
Since the original zero-day event, several other SQL vulnerabilities in MOVEit have been revealed and patched. It’s not clear if these vulnerabilities are under active exploitation.
Some analysts estimate that more than 340 organizations and 18 million individuals have been impacted by the MOVEit breach. Others say that the number is closer to 370 organizations. As of this week, Brett Callow, a researcher at Emsisoft, has identified 369 organizations that are likely involved in the breach. Of those 369, at least 93 were compromised through a third-, fourth-, or fifth-party supplier. Because the situation is so incredibly complex, many organizations may not yet realize they have been impacted. It may take months, or longer, for the true impact to be known.
Here’s what we know about some of the big names included in the breach:
Zellis (exposed payroll data for clients like BBC, Boots, and British Airways)
Oregon DMV (Social Security and driver’s license numbers)
Louisiana DMV (Social Security and driver’s license numbers)
Genworth Financial (private data of roughly 2.5 million employees and policyholders)
Shutterfly (no customer or employee data revealed)
Shell (employee personal information)
Government of Nova Scotia (personal information of some citizens)
University System of Georgia (research data possibly leaked)
U.S. Department of Energy (two unnamed entities)
Clop has started publishing files stolen from organizations who have, thus far, refused to pay the ransom.
The data that Clop has acquired through the MOVEit breach could be useful for any number of attacks on individuals, businesses, and governments. Attackers may still reach out to demand individual ransoms from each company. If the attackers don’t feel they can leverage the data for enough money through ransoms, they may sell the information on the dark web to be used for identity theft or other fraudulent purposes. This also puts affected organizations at risk for business email compromise (BEC) and phishing attacks.
MOVEit users should review Progress Software’s overview of the entire incident with required action steps. Customers must first download and install the initial patch as well as several followup patches for additional vulnerabilities found upon further investigation.
Progress also recommends scanning networks and infrastructures to identify any signs of compromise or unauthorized access. If there are any indications that a company was affected by the breach, they should reach out to their cyber insurance carrier. They can connect victims with approved incident responders who can provide guidance on notifying employees and customers whose personal information may have been exposed.
Even if you weren’t directly affected by the MOVEit breach, don’t breathe too deep a sigh of relief. This event is a good reminder that managing risk extends beyond keeping your own house in order. Third-party vendors must be a top consideration in your risk management strategy. Review all contracts to ensure that vendors have appropriate security standards. And stay on top of standards in your industry. Watch what other businesses like yours are doing to combat threats and hold your vendors (and yourself) to the most current standards.