Progress Software, a company that creates and deploys business applications, disclosed on Wednesday, May 31 that a critical vulnerability in their popular MOVEIt Transfer application has been under exploitation. Organizations use the application to create automated file transfer tasks and workflows and track and report every transfer. The zero-day vulnerability, which is a flaw in software that is unknown to the party or parties responsible for patching or fixing the flaw, is one that could lead to escalated privileges and potential unauthorized access in the managed file transfer product. As of June 2, there were 2,526 MOVEit Transfer applications that were publicly accessible, according to the Shodan search engine which is designed to map and gather information about internet connected devices and systems.
"Any organization using MOVEit should forensically examine the system to determine if it was already compromised and if data was stolen," Mandiant Consulting Chief Technology Officer Charles Carmakal said in an emailed statement. "Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data."
This exploitation comes on the heels of the zero-day vulnerability that impacted Fortra's GoAnywhere file transfer software back in January and lead to hundreds of ransomware attacks by the Russian extortion group Clop. Fortra and Palo Alto Networks Unit 42 reported that more than 100 organizations experienced the effects of the bug as of April, and Clop took responsibility for more than 50 now-patched GoAnywhere zero-day attacks. File transfer solutions have quickly become a valuable target for cybercriminals, dating back to the Accellion file transfer appliance incident back in December of 2020, particularly ransomware groups such as Clop.
In their disclosure of the vulnerability, Progress provided recommended remediation, including applying the necessary patches for all supported MOVEit Transfer versions. Further, Progress advised that organizations should consider additional security best practices, including the following:
If exploited, the vulnerability allows hackers to steal data from the software companies customers, as well as well as giving an attacker the ability to import malware that could compromise machines. If your business has been impacted by this vulnerability, we recommend reviewing the notice requirements under your cyber insurance policy, which could provide coverage for potential business interruption losses, cyber extortion loss, as well as data breach response costs, including data recovery and restoration costs, costs to notify affected customers and costs to perform computer forensics on your network.
Your broker can assist you in determining what coverage may be available to you and how to calculate your potential loss. If your organization has been impacted and there is coverage under your policy, your carrier will provide guidance on what steps to take to respond to this incident, which could include hiring a law firm to advise on what your reporting obligations could be to clients and regulators. Working with your broker to understand the exploit, its impact and how to fully maximize the cyber coverage that may be available will be critical.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).