Progress Software could be staring at fresh litigations over the explosive zero-day found in its file transfer service, MOVEit, which affected millions of end users globally.
The latest probe comes from the US Security and Exchange Commission (SEC), which is seeking information related to the mass hack.
“On October 2, 2023, Progress received a subpoena from the SEC seeking various documents and information relating to the MOVEit vulnerability,” Progress Software said in a recent SEC filing. “At this stage, the SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security.”
Progress said it intends to cooperate fully with the SEC in its investigation.
The SQL injection vulnerability, dubbed CVE-2023-34362, with an assigned CVSS of 9.8 was first reported on May 28 when a customer called Progress to alert against unusual activities in the MOVEit environment.
Progress expects operational setbacks
Progress said investigations such as the one initiated by the SEC can adversely affect the company’s operations and open them to future governmental and regulatory probes.
“Our financial liability arising from any of the foregoing (MOVEit exploits) will depend on many factors, including the extent to which governmental entities investigate the matter and limitations contained within our customer contracts; therefore, we are unable at this time to estimate the quantitative impact of any such liability with any reasonable degree of certainty,” Progress said.
Progress also said that it estimates operational losses from grieving customers as the company expects some of them could momentarily pull out of scheduled contracts.
“If customers or partners seek refunds, delay implementation of our products, delay payment, fail to pay us under the terms of our agreements, or terminate use of our products, we may be adversely affected both from the inability to collect amounts due and the cost of enforcing the terms of our contracts (including litigation related thereto),” Progress added.
Progress already has 23 affected customers who have indicated that they “intend to seek indemnification” from Progress and are likely to delay payments according to their contract terms, the company said.
Costs from MOVEit continue to pile up
The MOVEit hack has had a scarring effect on Progress’ reputation, with over 65 million customers worldwide suffering compromise of sensitive data. Last week, Sony and Flagstar Bank confirmed 6,000 and 800,000 new victims whose records were accessed in MOVEit-related incidents.
On September 25, BORN Ontario, a government-run birth registry in the Canadian province, confirmed the data of about 3.4 million people was exposed due to its use of the file-transfer service.
Several ransomware attacks were initiated with the stolen data in possession, and about a third of these attacks were attributed to Clop (a ransomware variant of FIN11). On June 6, Clop published a statement on its dark web portal, claiming to have exploited the MOVEit vulnerability to exfiltrate data from hundreds of organizations.
The ransomware gang was reported to have hit at least three US government agencies by exploiting MOVEit file-transfer flaws. US feds offered a $10 million reward for proof of Clop links to a foreign government.
On May 31, Progress announced patching the zero-day in the on-premises versions of MOVEit and its cloud test servers (MOVEit cloud). Additionally, the company acknowledged and patched several subsequent SQL injection vulnerabilities in MOVEit — CVE-2023-35036, CVE-2023-35708, CVE-2023-36934, CVE-2023-36932, and CVE-2023-36933 — from mid-June to early July, with an average CVSS of 9.4.
Another high-severity zero-day that worked the alarms all over last week was a critical flaw (CVSS 10.0) in the Atlassian Confluence data center and server. The high-rated bug, dubbed CVE-2023-22515, was confirmed by Microsoft Threat Intelligence to have a zero-day exploit by Chinese nation-state actor Storm-0062.
Data Breach