Exclusive first look at Coalition’s new cyber claims dataGet the 2024 Cyber Claims Report
Cyber Incident? Get Help

MOVEit Mayhem: Understanding Threats and Protecting Policyholders

MOVEit Mayhem: Understanding Threats and Protecting Policyholders

More than six weeks have passed since Progress Software publicly disclosed a critical vulnerability in its widely used file-transfer program, MOVEit. In that time, additional vulnerabilities have emerged, and nearly 350 organizations have experienced a cyber attack at the hands of the Cl0p ransomware gang, compromising the personal data of more than 17 million individuals.

Multiple executive departments in the U.S. federal government were impacted by the attacks — more than 60% of the victims are based in the U.S. — along with high-profile financial institutions, healthcare providers, software companies, and more. A class-action lawsuit has also been filed, claiming Progress’ security practices were negligent.

Given the timely and widespread nature of the MOVEit hack, Coalition has dedicated a significant amount of time and resources to understanding these threats and protecting our policyholders. Here’s everything you need to know:

What is MOVEit?

MOVEit is a managed file transfer (MFT) solution that securely transfers files across organizations using different protocols. It’s available both on-premise and as a cloud-based software-as-a-service solution, both of which have been impacted by a series of critical vulnerabilities.

What’s happening in the wild?

Coalition’s Security Research team has observed the vulnerabilities being exploited by threat actors who are mass-downloading data from organizations using the MFT solution. Thanks to data from Coalition honeypots, we now know that threat actors were targeting MOVEit for months before Progress announced the first vulnerability.

The circumstances of the MOVEit vulnerabilities have created a perfect storm of sorts:

  • MOVEit is used by thousands of enterprises, including 1,700 software companies and 3.5 million developers, according to Progress Software

  • The initial zero-day vulnerability has evolved into six (only one observed in the wild)

  • Cl0p continues to publish the names of 10-15 new victims every day

  • Progress Software has only issued patches for “three distinct vulnerabilities,” complicating remediation for businesses

  • Evidence of attack is minimal, making it hard to determine if a network was accessed

“Secure file transfer products are the natural consequence of businesses recognizing that email is unsuitable for sending confidential information,” says Scott Walsh, Senior Security Researcher at Coalition. “However, these products are susceptible to zero-day attacks. Threat actors are using tried-and-true exploit methods to target the MOVEit vulnerabilities. Additionally, because Progress software hasn’t clearly communicated to software administrators how to properly clean their systems, many organizations were impacted, even after systems were patched.”

Who’s at risk of experiencing an attack?

Businesses that fail to remediate vulnerabilities in their MOVEit software are at the greatest risk of experiencing a ransomware attack. Businesses of all sizes and industries have been impacted by the vulnerability. Healthcare, financial services, and professional services have been hit hardest thus far.

To date, Progress Software has issued three patches for the three vulnerabilities. However, due to the ongoing nature of this threat, all businesses are encouraged to look for further updates — even after patching.

The MOVEit attack reportedly leaves few technical indicators behind. Even for those that promptly patched, it’s still possible that Cl0p already gained access to their network. Businesses are encouraged to look for indicators of compromise.

“The MOVEit vulnerabilities have coincided with an increase in ransomware claims frequency in the market,” says Catherine Lyle, Coalition’s Head of Claims. “The most crucial trend to follow here is the failure to patch in a timely fashion. Policyholders with one unresolved critical vulnerability were found to be 33% more likely to experience a claim.”

How does this impact policyholders?

Upon the initial public disclosure, Coalition immediately notified all directly affected policyholders and advised them on how to resolve the issue. However, due to the high rate of exploitation, some businesses may have been affected before a patch was available. Policyholders who fear they were hit are eligible for a free one-hour consultation with Coalition Incident Response, our affiliate, to look for evidence of compromise.

We continue to urge all businesses that have yet to take action to immediately patch their affected systems. Because this is an active threat, we also encourage businesses to regularly check for new and additional remediation instructions from Progress Software.

To learn more about the specific vulnerabilities, Coalition policyholders can sign into Coalition Control™. Businesses can monitor their partners and suppliers to help mitigate the risk of supply chain disruptions using our Vendor and Third-Party Monitoring. Non-policyholders can also sign up for Coalition Control™ to gain increased visibility into the MOVEit vulnerabilities and take charge of their cyber risk.

This article originally appeared in the July 2023 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.

Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. ("CIS"), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license number 0L76155, acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.