Rapid7 continues to track the impact of CVE-2023-34362, the critical zero-day vulnerability in the MOVEit Transfer solution (severity rating of 9.8). It allows for easy SQL injection, which usually results in unauthorized access to sensitive data (passwords, credit card details, PII, PHI, etc.).

All MOVEit Transfer versions before May 31, 2023 are vulnerable to CVE-2023-34362, and all MOVEit Transfer versions before June 9, 2023 are vulnerable to CVE-2023-35036. Patches are now available and need to be applied.

Initially, the MOVEit breach was reported by a small handful of companies, as current regulations require the reporting of certain breaches within 60 days of discovery. Today, we are up to 383 organizations reporting, impacting 20,421,414 individuals, across schools (70), and International (31) and US (20) public sector operations.

Some of the organizations impacted provide services to other organizations, so the stats are likely to increase significantly as those organizations start to file notifications. For example, the National Student Clearinghouse, which was breached, partners with more than 3,500 schools in the U.S. and each of those schools would likely be impacted. 

The reverse network effect in many MOVEit incidents is extremely complex, with some organizations being impacted because they used a vendor which used a contractor which used a subcontractor which used MOVEit. Some organizations have had MOVEit exposure via multiple vendors, with most schools having 4 or more through their use of common vendor products.

This incident has a very long tail and will undoubtedly be extremely costly. Beyond remediation, organizations and their insurers will need to provide credit monitoring to individuals and will surely face multiple lawsuits. Additionally, there is the very real potential for the stolen data to be used in spear phishing, BEC scams, etc., in turn, acting as an enabler for many other assaults.

There are lots of cool companies, many of which, like Netography, Morphisec and Vectra AI that I try to showcase on our Podcast https://cybered.io/podcast/ every week that can foil breach attempts like this one. Some are owned by Cisco (ArmorBlox and Oort), some by Zscaler (Smokescreen), but regardless, if folks aren’t using these tools for self-defense, they will have a hard time explaining to the FTC and the SEC why they should be treated as victims.

Weak software is a problem. It didn’t begin with SolarWinds and Accellion and it won’t end with MOVEit. The entire eco-system is built on assumptive preclusions, and human dependencies and it is past time we stop and start over.