For anyone who periodically checks in on their favorite newsfeeds, there has been an alarming spate of cyberattack headlines recently, significantly outnumbering the usual number that we have become desensitized to. These stories involve cyberattacks that have impacted hundreds of companies, such as banks, medical schools, technology companies, universities, social services agencies, automotive suppliers, pension funds, oil companies, accounting and consulting companies, energy suppliers, and ironically, identity theft protection service providers. As wildly disparate as these businesses and their respective industries are, there is a common thread that runs through each of these incidents: a software tool called MOVEit. A vulnerability found in this software has been leveraged by cybercriminals to compromise data belonging to millions of individuals, with vast numbers of victims being reported with each passing day and no end in sight.

The following frequently asked questions (FAQs) have been aggregated to provide a summary of the MOVEit hack so that businesses can better understand how this catastrophic event happened.

• What is MOVEit and who developed it?
  • MOVEit Transfer is a secure managed file transfer (MFT) software developed by Progress Software to securely share files.
• What is the MOVEit cyberattack?
  • In late May 2023, it was determined that a zero-day SQL injection vulnerability in MOVEit Transfer and MOVEit Cloud was exploited to exfiltrate data. An SQL injection occurs when malicious SQL code is entered into a website or application to access or manipulate the backend database so that, for example, data can be retrieved and exfiltrated by unauthorized users.
    The vulnerability subsequently led to a supply chain attack, allowing the criminals to gain access to the MOVEit software tool and then use it as a digital “Trojan Horse” to compromise any organizations that were using that tool.
• How many countries and organizations have been impacted by this attack?
  • While there have been more than thirty countries impacted by the attack, the vast majority of stolen data originated in the United States. As of mid-August, it is believed that there are more than a thousand organizations that were victims of the hack, either directly or via a third-party. The attack has affected more than 60 million individuals so far, and it is widely believed that these numbers will continue to grow before the attack has run its course.
• Who was behind this attack?
  • It is believed that the criminals behind the attack on MOVEit belong to the ransomware group called CL0P, who are also believed to be behind the compromise of other file transfer solutions including Accellion File Transfer Appliance (FTA) and Fortra GoAnywhere Managed File Transfer (MFT).
• What will CL0P do with the stolen data?
  • For organizations that do not pay a ransom, CL0P has threatened to expose the stolen data to the dark web or a publicly accessible website.
• Did Progress Software patch the vulnerabilities?
  • Progress Software released patches in mid-June to address these vulnerabilities.
• Where should I go if I want additional information on the attacks?
  • While there are many resources that provide additional detail on the MOVEit attacks, one potential starting point is the cybersecurity advisory (CSA) released by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA).
• What should I do if my organization was compromised by the MOVEit hack?
  • If your company was compromised due to the MOVEit hack or a related cyberattack, immediately begin coordinating with your legal, insurance, cybersecurity, and public relations resources as well as other members of your incident response team to strategize on how to respond to the compromise.
• What should I do to avoid this type of attack from happening to my organization?
  • While there is no silver bullet to stop this type of attack from impacting your organization, there are a few best practices you can follow. Your company should first prioritize establishing and maintaining an inventory of any and all applications in use by your organization. After establishing this inventory, ensure that security updates and patches are being applied to all of your applications on a continuous basis. In addition to these initial steps, monitoring for anomalous network behavior and user access privilege escalation can help minimize risk, and developing and testing an incident response plan can also help reduce response time should an attack occur.

To fortify your company’s cybersecurity defenses, consider setting up a meeting to discuss how Citrin Cooperman can help protect your business. To get started, please reach out to Kevin Ricci at kricci@citrincooperman.com or a member of Citrin Cooperman’s Technology, Risk Advisory, and Cybersecurity (TRAC) Practice.