Vast majority of organizations are no longer vulnerable to MOVEit

The number of organizations vulnerable to data leaks because of security vulnerabilities in MOVEit Transfer software has dropped significantly with at least 77% of the initially affected organizations no longer susceptible, according to research by Bitsight.

Progress, the developer of MOVEit, published an advisory alerting of a critical vulnerability in its MOVEit Transfer product on May 31. Two more vulnerabilities CVE-2023-35036 and CVE-2023-35708 were identified on June 9th and June 15th, respectively. Three more vulnerabilities CVE-2023-36932, CVE-2023-36933, and CVE-2023-36934 were discovered on July 5th.

The vulnerabilities could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer's database.

Bitsight researchers tracked the number of organizations that are no longer vulnerable from May 31 to July 12. While the number of vulnerable organizations has dropped, the cybersecurity firm found 23% of organizations are still vulnerable.

"On the other hand, at most 23 percent of the initially affected organizations are still vulnerable while higher rates of vulnerability exist among the later CVEs," Bitsight said, adding that 56% of organizations initially affected by the newest collection of CVEs remain vulnerable.

Organizations are remediating 21 times faster

Organizations are remediating the MOVEit vulnerabilities roughly 21 times faster than what's considered typical, according to Bitsight. The cybersecurity firm said the rapid remediation shows that organizations are taking the vulnerabilities seriously.

"Typical remediation rates for software vulnerabilities are at a mere 5 percent per month, while these remediation rates are significantly faster. In a typical vulnerability remediation pattern, it would take 29 months to reach the same level of remediation we observe happening for MOVEit after just 42 days," Bitsight said. 

The cybersecurity firm attributed this to timely alerts by CISA. "Recent research found that CISA alerts tend to improve the likelihood of organizations rapidly remediating a given vulnerability; what we're seeing with MOVEit could be a real-time example of this promising trend," Bitsight said.

Bitsight also saw an increase in the adoption of patch versions soon after the announcement of each vulnerability, and a sharp decline in other versions. "This is great news, indicating that organizations are promptly moving from vulnerable to patched versions," Bitsight said.

Sectors most impacted and remediated

About 73% of government sector organizations were found to be remediated from the MOVEit vulnerabilities, while the manufacturing sector had at least 52% of organizations remediated. The business services sector had at least 46 percent of organizations remediated, according to the report.

Most impacted organizations were headquartered in the US and were mostly from the technology, government, and finance sectors, according to Bitsight.

The government or politics sector had higher remediation due to the prevalence of regulation and government mandates, Bitsight noted. "This sector is trusted with sensitive information -- secret or otherwise sensitive government information; and personally identifiable information (PII). The breadth and scope of the data for which this sector is responsible could potentially be one reason why they prioritized remediation of these CVEs," Bitsight said.

The latest news comes when security researchers observe the Russia-backed Clop ransomware gang publishing internet-accessible websites dedicated to specific victims. This makes it easier to leak stolen data and pressurize victims into paying a ransom. "cl0p ransomware group has created a clearnet domain to distribute stolen data from Ernst & Young," Dominic Alvieri, a security researcher, wrote in a Twitter post. Stolen information from PWC has also reportedly been leaked on a website.