Incident & Breach Response , Security Operations , Standards, Regulations & Compliance

Feds Drop Probe Into Progress Software Over MOVEit Zero-Day

Clop Ransomware Group Exploited Flaw to Steal Data Pertaining to 95M Individuals
Feds Drop Probe Into Progress Software Over MOVEit Zero-Day
The U.S. Securities and Exchange Commission dropped an investigation into Progress Software over the 2023 mass exploitation of its MOVEit file transfter software.

Progress Software said a U.S. regulatory probe triggered by the supply chain attack targeting users of its MOVEit secure file transfer software has ended.

See Also: Cyber Insurance Assessment Readiness Checklist

The Securities and Exchange Commission initiated in October a probe into the Memorial Day 2023 mass hacking of MOVEit instances, but won't follow through with an enforcement action, the company told investors on Tuesday.

Investigators subpoenaed the Burlington, Massachusetts software vendor after the Russian-speaking Clop ransomware group initiated a surprise cyberattack that - by last count - affected 2,773 organizations.

Also known as Cl0p, the criminal group on May 27 began exploiting a zero-day vulnerability, later designated CVE-2023-34362. Four days later, Progress alerted users to the campaign and released a patch to fix the flaw.

By then, Clop's attacks appear to have ended. While the data-stealing extortion group didn't crypto-lock any of the MOVEit file-transfer servers it targeted, the group did steal voluminous amounts of data.

The group's campaign led to information about more than 95 million individuals being exposed, said security firm Emsisoft. The most-affected sectors have been education, healthcare and financial and professional services. Victims included IT consultancy Maximus, ShellOil, healthcare software vendor Welltok, Delta Dental of California and state government agencies in Louisiana, Colorado and Oregon.

The attacks lead to an estimated $75 million to $100 million windfall for the criminal group, paid by a few very large ransoms by affected organizations in return for a promise not leak their stolen data, said ransomware incident response firm Coveware (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).

Not all of the exposed information involved sensitive data. Experts also said some MOVEit users' exposure was minimized thanks to their not storing information for long periods of time on the file-sharing servers (see: Lessons to Learn From Clop's MOVEit Supply Chain Attacks).

The SEC's disinclination to bring an enforcement action doesn't spell the end of regulatory or legal trouble facing Progress Software. The company has warned investors that it is "cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general" as well as an investigation by a federal law enforcement agency that hadn't named Progress Software as a target.

Reached for comment, the company said "Progress cannot comment on such matters," and referred to its public fillings for any further information.

Hundreds of proposed class-action lawsuits have also been filed against Progress Software, and consolidated into a single suit in the U.S. District Court for the District of Massachusetts.

One of the latest proposed class-action lawsuits was filed in June by Florida resident Judith Wilson, who sued not only the software firm, but also Humana and Trilogy Home Healthcare, and Trilogy's law firm Kirkland & Ellis. Her lawsuit accuses the defendants of collectively failing to properly "secure and safeguard plaintiff's and other similarly situated individuals' private information," as well as delays in notifying victims.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.