New security flaw's slow-burn perils are only just beginning

The impact of a recently patched security flaw in a widely used file-transfer tool will likely linger across North America for months to come.

Why it matters: Since Progress Software Corp. first uncovered a flaw in the popular file-transfer program MOVEit Transfer, a handful of high-profile organizations — including the BBC, British Airways and the government of Nova Scotia — have publicly warned that hackers have used the flaw to target their systems.

• Cybersecurity company Rapid7 estimates that the majority of the roughly 2,500 online instances of MOVEit are running in the U.S.
• Other firms are reporting that they've heard from dozens of organizations affected by MOVEit-related breaches.

Catch up quick: Last week, Progress warned it had uncovered a critical security flaw in the file-transfer tool that would allow hackers to gain unauthorized access to customers' networks.

• Hackers could then use that access to steal sensitive customer data or run commands on a company's network.
• While Progress released a fix a few days later, the Cl0p ransomware gang has continued to target systems that still aren't patched, according to a U.S. government advisory.

The big picture: The attacks uncovered in the last week are likely only a small fraction of what's to come.

• Typically in this type of attack — known as a supply chain attack — affected organizations aren't fully aware of their exposure to the flaw or put off patching their systems until it's too late.
• This happened following the 2021 discovery of a vulnerability in open-source logging tool Log4j. Even a year after its discovery, nearly three-fourths of affected organizations were still vulnerable.

What they're saying: "This is one that you can think of more as a tornado than a hurricane," Christopher Budd, head of Sophos' X-Ops team, told Axios. "It's not going to hit everyone, but where it is hitting, it's having a significant impact."

Between the lines: One of the biggest obstacles with the MOVEit incident is understanding how attackers exploited the flaw before it was publicly reported.

• Researchers, including those at Sophos, have seen malicious hackers targeting the flaw as early as May 27 — about four days before Progress started warning about the insecurity.

The intrigue: Some organizations might not even know whether they're running the program, Budd said.

• "When you run networks, you've got hundreds, thousands, tens of thousands, hundreds of thousands of systems, and it's hard to know what you're running," Budd said.
• Sometimes departments and individual employees run programs like MOVEit on their devices without getting IT's approval — leaving the IT and security teams with an imperfect picture of what's running on their networks, he added.

Zoom out: The Cl0p ransomware gang, in particular, has made targeting vulnerable file-transfer tools a go-to part of its strategy, the government advisory noted.

• The group also attacked organizations through flaws in Accellion's file transfer tool in 2020 and 2021 and targeted a flaw in Fortra's GoAnywhere file transfer tool earlier this year.

Be smart: All organizations should study their systems to see whether MOVEit is running on their network — and ask their tech vendors to do the same, Budd said.

• If there's no sign, organizations should double-check with all departments and employee devices to make sure no one has downloaded the program without their knowing.
• And if there is a sign of MOVEit on the networks, they should follow the mitigation guidelines on Progress's website and initiate an investigation for evidence of any attack.

Sign up for Axios’ cybersecurity newsletter Codebook here