US SEC Probes MOVEit Hack

The zero day that fueled a mass attack on Progress Software’s MOVEit file transfer software is now the vulnerability fueling a flotilla of attorneys, the company disclosed in a regulatory filing listing pending litigation and governmental investigations.

See Also: Challenges and Solutions in MSSP-Driven Governance, Risk, and Compliance for Growing Organizations

Among the organizations investigating the May incident is the U.S. Securities and Exchange Commission, the company said.

An independent count of those directly or indirectly affected by the attack, executed by the Clop ransomware group, now tallies more than 2,500 organizations and over 64 million individuals. Among the organizations that recently acknowledged they were caught up in the breach is Sony, which alerted around 6,800 individuals earlier this month (see: Breach Roundup: Still Too Much ICS Exposed on the Internet).

Progress Software says in the regulatory filing it received on Oct. 2 a subpoena seeking documents related to the incident. “The SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws,” the company says. “Progress intends to cooperate fully with the SEC in its investigation.”

Russian-speaking Clop appears to have unleashed a highly automated mass attack on MOVEit instances around May 29, likely timed to take advantage of the U.S. Memorial Day holiday weekend. The group came into possession of a MOVEit zero-day vulnerability, an SQL injection flaw tracked as CVE-2023-34362, possibly as long ago as July 2021.

The Burlington, Mass-based Progress Software is a defendant in 58 separately-filed lawsuits seeking class action status, although the judicial body that manages civil cases pending in more than one jurisdiction consolidated them into a single suit in U.S. District Court for the District of Massachusetts.

The company is additionally “cooperating with several inquiries from domestic and foreign data privacy regulators, inquiries from several state attorneys general” as well as an investigation by a federal law enforcement agency that has not named Progress Software as a target.

The attack so far does not appear to have greatly affected the publicly traded company financially. The company says that MOVEit products account for only approximately 4% of revenue. MOVEit so far has cost the company $1 million once it deducts from the bill an expected insurance payout of $1.9 million. Additional “investigation, legal and professional services expenses” are likely in the future.

Progress says it had $15 million worth of cybersecurity insurance during the MOVEit attacks and still has $10.1 million available. It received $1.9 million for MOVEit costs and $3 million for a November 2022 cyber incident that has cost the company $4.2 million so far this year. Progress disclosed the earlier cyber incident last December. It involved ” unauthorized access to Progress’ corporate network, including evidence that certain company data has been exfiltrated,” the company said.