SEC completes investigation into MOVEit Transfer vulnerability
The Securities and Exchange Commission (SEC) has concluded its fact-finding mission into the MOVEit Transfer zero-day vulnerability. The supervisor decided not to take action against software developer Progress.
MOVEit Transfer is an application many commercial parties use to exchange confidential files internally and third-parties.
In May 2023, the developer warned that the application contained a zero-day exploit. By implementing an SQL injection, unauthorized users could manipulate the MOVEit Transfer database so they could steal confidential information.
“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content,” Progress Software Corporation said in a security advisory at the time.
Cl0p, a ransomware operation believed to operate from Russia, claimed to have transferred sensitive data from ‘hundreds’ of corporations and institutions worldwide, earning between 75 and 100 million dollar from extortion.
Security researchers at Emsisoft have calculated that the hacking group stole confidential data from 2,773 organizations and 95,788,491 people, including companies such as the BBC, British Airways, Gen Digital, the government of the Canadian province of Nova Scotia, Royal Dutch Shell and the University of Rochester.
In October 2023, Progress received a subpoena from the SEC to hand over all relevant documents concerning the MOVEit Transfer vulnerability. The software developer said it was part of a fact-finding inquiry by the American stock market supervisor.
The SEC has rounded up its investigation. According to an 8-K Filing and press release by Progress, the SEC’s Division of Enforcement “does not intend to recommend an enforcement action against the company at this time”.
While the SEC only gives a slap on the wrist, Progress still has to face dozens of class-action lawsuits in the Massachusetts federal courts.
Your email address will not be published. Required fields are marked