SEC Investigates MOVEit Vulnerability After Michigan Bank Falls Victim
The U.S. Securities and Exchange Commission (SEC) has launched an investigation into a vulnerability in MOVEit, a managed file transfer software provided by Progress Software Corp. The vulnerability, known as CVE-2023-34362, has been exploited by hackers to compromise and steal data from numerous companies and organizations. The recent victim of this cyberattack is a Michigan-based bank.
MOVEit is designed to facilitate secure and compliant file transfers of sensitive data within and between organizations. However, the discovered vulnerability allows remote attackers to send a specially crafted SQL injection to a vulnerable MOVEit Transfer instance, even without authentication.
The extensive list of victims from these attacks includes major institutions such as the BBC, British Airways Plc, and the U.S. Department of Energy, along with several universities, healthcare providers, and other organizations, such as the pharmacy chain Boots UK Ltd. The National Student Clearinghouse, a target of the MOVEit attack in September, affected approximately 890 universities.
The most recent victim in the series of attacks is Flagstaff Bank N.A., a prominent residential mortgage servicer and banking service provider in the U.S. The bank disclosed that Fiserv Inc., a vendor it utilizes for payment processing and mobile banking services, had experienced a compromise. As a result, the personal data of around 837,390 customers is believed to have been stolen.
Of particular concern is the fact that Fiserv, a New York Stock Exchange-listed financial technology company, provides services to numerous banks and finance companies, including tech giants like Google LLC and Microsoft Corp. If Fiserv has been compromised, the number of victims, solely among its customer base, could be significantly larger than initially anticipated.
Progress Software, the provider of MOVEit software, revealed in a disclosure that the SEC has issued a subpoena requesting various documents and information related to the MOVEit vulnerability. It is crucial to note that an SEC investigation does not imply any violation of federal securities laws nor does it reflect a negative opinion of any individual, entity, or security. Progress Software has expressed its full cooperation with the SEC in their investigation.
This investigation is just one of the many challenges facing Progress Software in light of the MOVEit vulnerability. The company is also facing 23 direct lawsuits from affected customers and has been named in 58 class action lawsuits. Additionally, Progress Software has been responding to inquiries from data privacy regulators and state attorneys general both domestically and internationally.
While the SEC has not made any public comment regarding the investigation, the fact that they are now requesting information suggests that the investigation is still in its early phase.
As the investigation unfolds, it is crucial for organizations using MOVEit software to remain vigilant and implement necessary security measures to protect their sensitive data. Cybersecurity remains a critical concern, and companies must prioritize safeguarding their systems from potential vulnerabilities and attacks.