Cybercrime , Fraud Management & Cybercrime
US Securities and Exchange Commission Probes MOVEit Hack
Progress Software Says Investigation Is Fact-Finding InquiryThe zero-day campaign underpinning the May mass attack on Progress Software's MOVEit file transfer software is now the vulnerability fueling a flotilla of attorneys, the software vendor disclosed in a regulatory filing listing pending litigation and governmental investigations.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Among the organizations investigating the May incident is the U.S. Securities and Exchange Commission, the company said.
An independent count of those directly or indirectly affected by the attack, executed by the Clop ransomware group, now tallies more than 2,500 organizations and over 64 million individuals. Among the organizations that recently acknowledged they were caught up in the breach is Sony, which alerted around 6,800 individuals earlier this month (see: Breach Roundup: Still Too Much ICS Exposed on the Internet).
Progress Software says in the regulatory filing that it received on Oct. 2 a subpoena seeking documents related to the incident. "The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws," the company says. "Progress intends to cooperate fully with the SEC in its investigation."
Russian-speaking Clop appears to have unleashed a highly automated mass attack on MOVEit instances around May 29, likely timed to take advantage of the U.S. Memorial Day holiday weekend. The group came into possession of a MOVEit zero-day vulnerability, a SQL injection flaw tracked as CVE-2023-34362, possibly as long ago as July 2021.
Progress Software, based in Burlington, Massachusetts, is a defendant in 58 separately filed lawsuits seeking class action status, although the judicial body that manages civil cases pending in more than one jurisdiction consolidated them into a single suit in the U.S. District Court for the District of Massachusetts.
The company is also "cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general" as well as an investigation by a federal law enforcement agency that has not named Progress Software as a target.
The attack so far does not appear to have greatly affected the publicly traded company financially. The company says that MOVEit products account for only approximately 4% of revenue. The MOVEit attacks so far have cost the company $1 million, once it deducts from the bill an expected insurance payout of $1.9 million. Additional "investigation, legal and professional services expenses" are likely in the future, it said.
Progress says it had $15 million worth of cybersecurity insurance during the MOVEit attacks and still has $10.1 million available. It received $1.9 million for MOVEit costs and $3 million for a November 2022 cyber incident that has cost the company $4.2 million so far this year. Progress disclosed the earlier cyber incident last December. It involved "unauthorized access to Progress' corporate network, including evidence that certain company data has been exfiltrated," the company said.