The widely exploited vulnerability in Progress Software’s MOVEit file transfer service has impacted nearly 200 organizations, according to Brett Callow, threat analyst at Emsisoft.
The scope of damage caused by Clop’s mass exploit of a zero-day vulnerability in MOVEit continues to snowball as third-party vendors expose multiple downstream victims. Progress discovered the zero day over Memorial Day weekend on May 28.
Despite the number of victims so far, experts anticipate more will come forward. “While many organizations have made a disclosure, a significant number have yet to do so,” Callow said via email.
Progress on Wednesday released another update, including security fixes, and said it will consistently release MOVEit product updates every two months going forward.
The company reported nearly $1.5 million in cyber incident and vulnerability response expenses during the second quarter, which ended May 31, and said it expects to incur additional expenses in future quarters.
“We’ve been taking this issue very seriously,” Yogesh Gupta, president and CEO at Progress, said during the company’s June 29 earnings call, according to a Seeking Alpha transcript.
“While working through an issue of this nature, it's important not to speculate broadly or prematurely but rather focus on the task at hand, doing what we can to protect our customers against the ongoing threat of cybercriminals,” Gupta said.
The education sector has been hit particularly hard as many widely used vendors in the space confirm impacts linked to Clop’s spree of cyberattacks that exploited the MOVEit vulnerability. Some schools have disclosed multiple breaches due to attacks against third-party vendors.
“Given the number of organizations in the education sector that have been impacted by MOVEit, it’s possible that the majority of schools in the U.S. will also have been impacted,” Callow said.
Major organizations in the education sector that have been impacted, and indirectly exposed schools and education professionals as a result, include the California Public Employees’ Retirement System, National Student Clearinghouse and TIAA.