Incident & Breach Response , Security Operations , Standards, Regulations & Compliance
Feds Drop Probe Into Progress Software Over MOVEit Zero-Day
Clop Ransomware Group Exploited Flaw to Steal Data Pertaining to 95M IndividualsProgress Software said a U.S. regulatory probe triggered by the supply chain attack targeting users of its MOVEit secure file transfer software has ended.
See Also: Cyber Insurance Assessment Readiness Checklist
The Securities and Exchange Commission initiated in October a probe into the Memorial Day 2023 mass hacking of MOVEit instances, but won't follow through with an enforcement action, the company told investors on Tuesday.
Investigators subpoenaed the Burlington, Massachusetts software vendor after the Russian-speaking Clop ransomware group initiated a surprise cyberattack that - by last count - affected 2,773 organizations.
Also known as Cl0p, the criminal group on May 27 began exploiting a zero-day vulnerability, later designated CVE-2023-34362. Four days later, Progress alerted users to the campaign and released a patch to fix the flaw.
By then, Clop's attacks appear to have ended. While the data-stealing extortion group didn't crypto-lock any of the MOVEit file-transfer servers it targeted, the group did steal voluminous amounts of data.
The group's campaign led to information about more than 95 million individuals being exposed, said security firm Emsisoft. The most-affected sectors have been education, healthcare and financial and professional services. Victims included IT consultancy Maximus, ShellOil, healthcare software vendor Welltok, Delta Dental of California and state government agencies in Louisiana, Colorado and Oregon.
The attacks lead to an estimated $75 million to $100 million windfall for the criminal group, paid by a few very large ransoms by affected organizations in return for a promise not leak their stolen data, said ransomware incident response firm Coveware (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
Not all of the exposed information involved sensitive data. Experts also said some MOVEit users' exposure was minimized thanks to their not storing information for long periods of time on the file-sharing servers (see: Lessons to Learn From Clop's MOVEit Supply Chain Attacks).
The SEC's disinclination to bring an enforcement action doesn't spell the end of regulatory or legal trouble facing Progress Software. The company has warned investors that it is "cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general" as well as an investigation by a federal law enforcement agency that hadn't named Progress Software as a target.
Reached for comment, the company said "Progress cannot comment on such matters," and referred to its public fillings for any further information.
Hundreds of proposed class-action lawsuits have also been filed against Progress Software, and consolidated into a single suit in the U.S. District Court for the District of Massachusetts.
One of the latest proposed class-action lawsuits was filed in June by Florida resident Judith Wilson, who sued not only the software firm, but also Humana and Trilogy Home Healthcare, and Trilogy's law firm Kirkland & Ellis. Her lawsuit accuses the defendants of collectively failing to properly "secure and safeguard plaintiff's and other similarly situated individuals' private information," as well as delays in notifying victims.