US SEC launches probe into mass MOVEit breach

The US Securities and Exchange Commission (SEC) has launched a probe into the mass breach of Progress Software’s MOVEit file transfer tool, which is now estimated to have affected over 2,000 organisations and exposed the personal data of around 64 million people.

Conducted by ransomware operation Clop (or Cl0p) in late-May 2023, the breach involved the exploitation of a zero-day structured query language injection vulnerability in the tool, which allowed the criminal enterprise to exfiltrate massive amounts of data from a variety of organisations without deploying a ransomware locker.

While Progress Software subsequently patched three separate vulnerabilities in the weeks following the incident (CVE-2023-34362, CVE-2023-35036 and CVE-2023-35708), Clop’s smash-and-grab exfiltration tactics meant it was able to steal a significant amount of data before the patches took place, and use the threat of releasing that data to extort payments from the victims.

In a regulatory filing, Progress Software said it had received a subpoena from the SEC on 2 October “seeking various documents and information relating to the MOVEit Vulnerability”, adding that the regulator’s inquiry at this stage is limited to fact-finding.

“The investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity or security,” it wrote. “Progress intends to cooperate fully with the SEC in its investigation.”

According to research by security supplier Emsisoft, the current number of organisations impacted by the incident reached 2,547 as of 12 October, while the number of people affected has reached 64,467,518.

Progress Software confirmed in its filing it is now facing dozens of legal battles as a result of the breach, including 23 formal letters from customers, an unspecified number of which are seeking indemnification; an insurer serving a subrogation notice seeking recovery for all expenses incurred in connection with the vulnerability; and 58 class action lawsuits filed by individuals who claim to have been impacted by the data exfiltration.

In terms of expenses already incurred, the filing added that the MOVEit vulnerability has cost the company around $1m so far, although it further added that the full cost is not yet known due to all of the ongoing legal matters and investigations.

“With respect to the litigation, the proceedings remain in the early stages, alleged damages have not been specified, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved,” it said.

“Also, each of the governmental inquiries and investigations mentioned above could result in adverse judgements, settlements, fines, penalties or other resolutions, the amount, scope and timing of which could be material, but which we are currently unable to predict. Therefore, we have not recorded a loss contingency liability for the MOVEit Vulnerability as of 31 August 2023.”

Progress Software added that it expects to incur additional costs of $4.2m related to a separate cyber security incident in November 2022, although there are no details about this incident other than it being disclosed by the firm the next month.

A Progress Software spokesperson told TechCrunch the November 2022 incident, in which the company remained fully operational throughout, was not related to any “recently reported software vulnerabilities”.

Speaking with Recorded Future News, Emsisoft threat analyst Brett Callow, who has tracked the situation since it was first unveiled in May, said it was very likely Clop and other threat actors would use the exfiltrated data to launch further cyber attacks on other organisations, including phishing and business email compromise attacks.