Blog
← Back to Blog
June 05, 2023 cybersecurity

MOVEit Breach: How One File Transfer Tool Exposed Thousands of Organizations

MOVEit mass exploitation and file transfer breach

The Cl0p ransomware gang exploited a zero-day vulnerability in Progress Software's MOVEit Transfer, a widely-used managed file transfer solution. The attack has compromised over 2,500 organizations and exposed the data of more than 60 million individuals. It's one of the largest mass exploitation events in cybersecurity history.

What Happened

MOVEit Transfer is used by organizations to securely transfer sensitive files: healthcare records, financial data, legal documents, payroll information. It's the kind of enterprise tool that most people have never heard of but that handles enormous amounts of sensitive data.

Cl0p discovered a SQL injection vulnerability and exploited it at scale, extracting data from vulnerable MOVEit instances worldwide before the vulnerability was even discovered and patched.

Who's Affected

The victim list spans every industry:

  • Healthcare: Johns Hopkins, Community Health Systems (affecting millions of patients)
  • Financial: 1st Source Bank, Putnam Investments, numerous pension funds
  • Legal: Law firms using MOVEit for document exchange
  • Government: Department of Energy, multiple state agencies, international agencies
  • Education: Universities including UCLA, University of Rochester

Many victims weren't directly using MOVEit. They were exposed because a vendor or partner used MOVEit to process their data. The supply chain effect multiplied the impact dramatically.

The Supply Chain Lesson (Again)

MOVEit is the latest example of a pattern we've been tracking since NotPetya in 2017:

  1. 2017: NotPetya through M.E.Doc software update
  2. 2019: MSP attacks through remote management tools
  3. 2020: SolarWinds through Orion management platform
  4. 2021: Kaseya through VSA management software
  5. 2023: MOVEit through file transfer infrastructure

The common thread: widely-used infrastructure software that organizations depend on but don't think about becomes the attack vector. The more organizations that use a tool, the more valuable it is to attackers.

What Every Practice Should Do

  1. Inventory your file transfer methods. How does your practice send and receive sensitive files? Email attachments? Cloud storage? Vendor portals? Each one is a potential vulnerability.
  2. Ask your vendors. Do any of your vendors, partners, or service providers use MOVEit? If so, have they been affected? What steps have they taken?
  3. Review data sharing agreements. When you share data with a third party, what security obligations do they have? Are those obligations documented in a BAA, vendor agreement, or data processing addendum?
  4. Monitor for notification. If your data was exposed through a vendor's MOVEit instance, you should receive notification. Monitor communications from your vendors and business partners.

You can secure your own systems perfectly and still be breached through a vendor's vulnerability. Supply chain security isn't optional. It's fundamental.