MoveIt Hack: What Businesses Should Know and Individuals Should Do

Dozens of global businesses may have been impacted by the MoveIt hack, a cyber attack on a third-party data-transfer provider that has potentially exposed the sensitive personal information of millions of people in the United States alone. Here is what businesses and individuals should know about the hack and how they should respond.

The MoveIt Hack Explained

MoveIt is a data-transfer tool developed by Progress Software that allows businesses to send large volumes of data across the Internet. In a typical MoveIt transfer, data are sent from one user’s account to a web server, then downloaded to another user’s account, completing the transfer.

A Russian hacker group known as Cl0p claims to have used a vulnerability in MoveIt to access the servers that stored the data, exfiltrating millions of records. Data were stolen from a broad range of organizations, including banks, broadcasters, the U.S. Department of Energy and the Oregon DMV, which alone reported approximately 3.5 million records exposed.

Cl0p has posted a growing list of potential targets on the Dark Web and is threatening to publish the data unless the impacted organizations pay a ransom.

It is important to understand what this attack is not and what it is. Though it has been reported as a ransomware attack by some media outlets, it is not a traditional ransomware attack where hackers lock up an organization’s systems and demand a payment to release them. Instead, Clop is holding the data it stole hostage and threatening to publish or sell it if impacted organizations do not pay. The MoveIt attack itself was limited to MoveIt servers and hackers did not gain direct access to other online systems of their victims. However, the data stolen in the attack may contain information that criminals could use in the future to carry out phishing or pretexting attacks, login credentials or personal information that can be used for identity theft.

The exact nature of what was stolen will vary from organization to organization. In some cases, information about employees was compromised. In others, individual customer records, potentially including Social Security numbers, were stolen. What any organization lost depends on what they sent via MoveIt and what Cl0p was able to access. In remarks to reporters on June 15, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said, “As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred.”

It is possible that Cl0p is overstating the data it actually has. Those who sent data via MoveIt should still have their data, as Cl0p was only able to steal the copies sitting on MoveIt servers.

How Should Businesses React to the MoveIt Attack?

If you use MoveIt, patch the software immediately. Only download the software directly from the Progress Software site. Be alert for additional updates on vulnerabilities and patches from Progress Software. Unpatched software may still be vulnerable to the exploits used by Cl0p.

Assess the potential damage from the MoveIt hack. The start date for the hack is unknown, but it is believed to have begun in late winter or early spring 2023. Examine the records for all MoveIt transfers since January 1, 2023, and the data that were transferred. Assume that these data have been stolen and could be sold to other hackers or published on the Dark Web. Do not assume that paying a ransom will protect your data. Criminals may take your money and sell the data anyway. You must assume that any sensitive information sent via MoveIt after January 1 has been compromised.

Change login credentials. All logins must be updated. This is a good time to consider adding two-factor authentication or a password manager if you do not currently have them.

Alert any potentially impacted clients or customers. Failure to disclose knowledge of a data breach can lead to lawsuits, government fines and possible sanctions on the organization or its senior leaders. If there is any doubt about data theft, assume the data were stolen and notify everyone who was potentially impacted. It is better to over-respond in this situation than to discover that you failed to notify victims.

Discuss phishing and pretexting risks with employees and reinforce protocols. Data stolen in this breach could include both business and personal emails for employees, which could provide fuel for pretexting attacks for the next 12 months. Cyber security employee training can help employees identify and respond to risks, but when the threat of an attack rises, organizations must instill extra vigilance through additional communications. Explain to employees what happened, how the stolen data can be used to commit acts of fraud or theft and how to respond if they receive an unusual or unexpected request from a co-worker or organizational leader.

Step up monitoring. IT and Accounting personnel should be on the lookout for new or unusual behavior. Pay particular attention to an increased number of login attempts, new remote login attempts or very small charges hitting bank accounts or debit/credit cards. These are all possible signs of criminals attempting to validate stolen credentials ahead of a larger attack.

How Should Individuals React to the MoveIt Hack?

Assume your personal data have been stolen. The MoveIt breach is just one of many ongoing data breaches. Most people should assume that their personal information, including passwords, phone number, email and address have been stolen and are available on the Dark Web. You will take a much more active and stronger approach to online security if you believe your personal information has been compromised than if you assume that it has not.

Freeze your credit. Unless you are applying for credit cards, a mortgage or a loan, freezing your credit is one of the best ways to prevent identity theft. You will need to reach out to each of the three credit-reporting agencies to do this, and to unfreeze your credit if you decide to apply for a loan in the future.

Use two-factor authentication on all sensitive logins. If two-factor authentication is available, you should take advantage of it and ensure that codes are sent to your smart phone rather than an email address that a criminal could compromise. If the sites you commonly use do not require two-factor authentication, consider using a password manager to gain an extra bit of security. The benefit of two-factor authentication is simple: Even if criminals steal your password, they cannot access your accounts without the two-factor authentication code.

Monitor your financial statements closely. Be on the lookout for very small charges, from one penny to just over one dollar, originating from unknown sources, as well as small charges that are quickly refunded to your account. Criminals use these small charges to validate stolen credit and debit cards before they carry out significant attacks. Some legitimate businesses that require access to your bank account will also use this method. When in doubt, contact your bank and ask about the transaction.

Be wary of emails about the MoveIt hack. Nearly every high-profile data breach is accompanied by a second wave of phishing attacks attempting to capitalize on it. You may receive official-looking emails from banks or service providers informing you of the breach and asking you to log in to verify your account or update your information. Never click on links in emails or text messages, even if you believe they are legitimate. Open a web browser, go to the verified website for the business and log in there.

Expect a wave of phishing and spam attacks. Any time a major data breach occurs, a rise in phishing and spam attacks follows as recently stolen email addresses and phone numbers get added to criminals’ databases. Be particularly mindful of attacks that spoof popular shopping sites or delivery services, such as Amazon, eBay or UPS. Follow the same rule for emails and texts about the MoveIt attack: do not click on links in emails or texts and log in directly to websites to verify any potential issues. Block any spam messages that you receive and block numbers that send spam or phishing texts.

Maintaining vigilance after a significant data breach can be challenging. Many people and organizations will be alert for a week or two, then assume that things are back to normal if no attacks occur. While there are no hard and fast data on the lag between when data are stolen and when criminals launch attacks, know that a fresh set of stolen data can circulate for up to two years online. High-value data, such as login credentials, may be used by criminals within a few hours to try and compromise additional systems.

Preventing fraud and theft online requires a consistent approach amid evolving threats. Protect Now offers in-depth seminars and online cyber security employee training that raises vigilance and empowers employees to recognize and stop cyber threats. To learn more, contact us online or call us at 1-800-658-8311.