Unpacking the MOVEit Breach Statistics and Analysis

pMOVEit is a file transfer platform made by Progress Software Corporation The platform is used by thousands of governments financial institutions and other public and private sector bodies all around the world to send and receive informationppIn late May 2023 data started to be transferred from hundreds of MOVEit deployments however these were not normal file transfers initiated by legitimate users MOVEit had been hacked and the data was being stolen by a ransomware operation called Cl0pppThe current tally of organizations and individuals known to have been impacted by this incident is shown below The data is sourced from state breach notifications SEC filings other public disclosures as well as Cl0ps website and is current as of November 14 2023ppThe MOVEit breaches to have impacted the most individuals areppUSbased organizations account for 781 percent of known victims Canadabased 140 percent Germanybased 14 percent and UKbased 08 percentppThe most heavily impacted sectors are education 406 percent health 192 percent and finance and professional services 121 percentppWhile it is impossible to accurately calculate the cost of the MOVEit incident it is possible to illustrate the potential cost According to IBM data breaches cost an average of 165 USD per record Based on the numbers of individuals confirmed to have been impacted that puts the cost of the MOVEit incident at 11583265155ppSome of the organizations impacted provide services to multiple other organizations and so the numbers above are likely to increase significantly as those organizations start to file notificationsppIt should be noted that there will be some overlap in terms of individuals impacted With so many organizations affected it is inevitable that some individuals will have been affected more than once and we have no way to account for thisppOn May 31st Progress Software issued an advisory and patch for a vulnerability subsequently identified as CVE202334362 and assigned a severity rating of 98 out of 10 The company stated the vulnerability could lead to escalated privileges and potential unauthorized access to the environment In other words it was a vulnerability which could enable hackers to access MOVEit and steal data something which it later emerged had been happening since at least May 27thppOn June 9th Progress issued a patch for a second vulnerability identified as CVE202335036 On June 15th patch was issued for a third vulnerability identified as CVE202335708 Both vulnerabilities were critical and could have enabled the MOVEit platform to be further exploitedppCl0p confirmed that it had been responsible for the attack on the MOVEit platform with the below June 6th post on the groups site on the dark webppppAs shown in the above screenshot Cl0p stated that the data which had been stolen from governments cities and police services had been deleted On July 17th 2023 that claim was proven to be inaccurate when the group listed the UKs Office of Communications Ofcom and Irelands Commission for Communications Regulation Comregpp The upstreamdownstream in many MOVEit incidents is extremely complex with some organizations being impacted because they used a vendor which used a contractor which used a subcontractor which used MOVEit Additionally some organizations have had MOVEit exposure via multiple vendors This is especially true in the education sector with some institutions being affected by incidents involving the National Student Clearinghouse the Teachers Insurance and Annuity Association of AmericaCollege Retirement Equities Fund which was impacted by an incident at a vendor PBI Research Services as well as third party health insurance providers and other financial service providersppCl0p is a type of ransomware that has been used in cyberattacks since 2019 Data stolen in the attacks is published to a site on the dark web a socalled data leak site or DLS  which the hackers refer to as CL0P LEAKS The ransomware and website have been linked to FIN11 a financiallymotivated cybercrime operation which has been connected to both Russia and Ukraine and which is believed to be part of a larger umbrella operation known as TA505ppWhile the actors behind Cl0p have previously deployed fileencrypting ransomware they have increasingly switched to a smashandgrab exfiltrationonly strategy relying on the threat of releasing stolen data as leverage to extort payment This is likely so that Cl0p can quickly exfiltrate data from as many organizations as possible before the vulnerability being exploited is patchedppThis is not the first time the group has attacked a file transfer platform MOVEitlike attacks were launched against Accellion File Transfer Appliances FTA in 20202021 SolarWinds ServU in 2021 and FortraLinoma GoAnywhere MFT servers in 2023ppThe MOVEit incident highlights the challenges organizations face in securing their data Its not only their own security they need to be concerned about its the security of their supply chains too Complicating matters further is the fact that attacks which leverage zeroday vulnerabilities as this one did are extremely hard to defend againstppThe incident will undoubtedly be extremely costly Beyond remediation organizations and their insurers will need to provide credit monitoring to individuals and will undoubtedly face multiple lawsuits Additionally there is significant potential for the stolen data to be used in spear phishing BEC scams etc meaning that this one crime could act as an enabler for many other crimesppThe most important question is how we can stop a similar event from happening again While that is not an easy question to answer Secure by Design Secure by Default initiatives could play a critical roleppThe bottom line is that organizations cannot be expected to fend off attacks against vulnerable software and so it needs to be made more secure Unless we can improve the security of software it is only a matter of time before there is another MOVEitlike incidentpp Zach is a multifaceted writer specializing in finance tech and now broadening his expertise into the cybersecurity domain When hes not writing Zach expresses his creativity through music as a singer bassist and producer ppOur new article dives deep into why signaturebased detection remains a crucial line of defense in our digital world Get the facts cut through the noiseppDiscover the intricate web of deception in the world of cybersecurity From phishing to pretexting learn how social engineering attacks play on human emotions and how you can guard against them with EmsisoftppAttackers use session hijacking to take control of your sessions and impersonate you online Discover how session hijacking works and how to protect yourself ppMalware never sleeps Be sure to stay uptodate on emerging threatsp