The non-profit organization, which delivers reporting, verification and research services to higher education institutions across North America, informed the state of Maine’s attorney general in late August that more than 51,000 individuals are affected by this most recent incident.
Emsisoft, which has been keeping track of the organizations that were directly and indirectly impacted by the MOVEit hack, reported that the total number of victims from all the hacks reached 2,053 on Sept. 22. The total number of impacted individuals exceeds 57 million.
Progress Software, makers of the MOVEit software, disclosed there was a critical zero-day vulnerability in the application that allowed unauthorized third parties to access its customers’ MOVEit environments back on May 31.
In an alert about this most recent incident, the National Student Clearinghouse said that the unauthorized party obtained certain files within the Clearinghouse’s MOVEit environment that may have included information from the student record database on current or former students. The Clearinghouse said it has no evidence that the affected files included the enrollment and degree files that organizations submit to the Clearinghouse for reporting requirements and for verifications.
The Clearinghouse has contracted with a third-party cybersecurity firm to conduct an investigation and has contacted law enforcement. It said the attack only involves its MOVEit file transfer application.
As cyber teams continue to address this spate of attacks, the news should serve as a wakeup call to every organization that security teams must remediate this serious zero-day vulnerability immediately, said Darren Guccione, co-founder and CEO at Keeper Security. However, Guccione said as any organization grows and becomes a more appealing target, the quality and focus of these attacks will increase accordingly.
“All organizations should take a proactive approach to regularly update software and immediately patch vulnerabilities that are being actively exploited in the wild,” said Guccione. “Organizations must ensure they have a patch deployment process defined and written down, with emergency levers for critical vulnerabilities. When organizations have a clear plan, their teams can execute it accordingly."
John Bambenek, principal threat hunter at Netenrich, added that MOVEIt is an inherently internet-facing service that has an actively exploited vulnerability used by several threat groups. Bambenek said ransomware is the obvious one because the end of the attack is informing the victim to get a ransom, however, anyone who wants to steal data can take advantage.
“The vulnerability and patch have been known for four months,” said Bambenek. “There’s a long tail of figuring out if you had been victimized. For organizations still using a vulnerable version of MOVEIt, the most important thing they should do is fire the CISO because there's no excuse for not having remediated it by now”