Progress Software could be staring at fresh litigations over the explosive zero-day found in its file transfer service, MOVEit, which affected millions of end users globally.\n\nThe latest probe comes from the US Security and Exchange Commission (SEC), which is seeking information related to the mass hack.\n\n\u201cOn October 2, 2023, Progress received a subpoena from the SEC seeking various documents and information relating to the MOVEit vulnerability,\u201d Progress Software said in a recent SEC filing. \u201cAt this stage, the SEC investigation is a fact-finding inquiry, the investigation does not mean that Progress or anyone else has violated federal securities laws, and the investigation does not mean that the SEC has a negative opinion of any person, entity, or security.\u201d\n\nProgress said it intends to cooperate fully with the SEC in its investigation.\n\nThe SQL injection vulnerability, dubbed CVE-2023-34362, with an assigned CVSS of 9.8 was first reported on May 28 when a customer called Progress to alert against unusual activities in the MOVEit environment.\n\nProgress expects operational setbacks\n\nProgress said investigations such as the one initiated by the SEC can adversely affect the company\u2019s operations and open them to future governmental and regulatory probes.\n\n\u201cOur financial liability arising from any of the foregoing (MOVEit exploits) will depend on many factors, including the extent to which governmental entities investigate the matter and limitations contained within our customer contracts; therefore, we are unable at this time to estimate the quantitative impact of any such liability with any reasonable degree of certainty,\u201d Progress said.\n\nProgress also said that it estimates operational losses from grieving customers as the company expects some of them could momentarily pull out of scheduled contracts.\n\n\u201cIf customers or partners seek refunds, delay implementation of our products, delay payment, fail to pay us under the terms of our agreements, or terminate use of our products, we may be adversely affected both from the inability to collect amounts due and the cost of enforcing the terms of our contracts (including litigation related thereto),\u201d Progress added.\n\nProgress already has 23 affected customers who have indicated that they \u201cintend to seek indemnification\u201d from Progress and are likely to delay payments according to their contract terms, the company said.\n\nCosts from MOVEit continue to pile up\n\nThe MOVEit hack has had a scarring effect on Progress\u2019 reputation, with over 65 million customers worldwide suffering compromise of sensitive data. Last week, Sony and Flagstar Bank confirmed 6,000 and 800,000 new victims whose records were accessed in MOVEit-related incidents.\n\nOn September 25, BORN Ontario, a government-run birth registry in the Canadian province, confirmed the data of about 3.4 million people was exposed due to its use of the file-transfer service.\n\nSeveral ransomware attacks were initiated with the stolen data in possession, and about a third of these attacks were attributed to Clop (a ransomware variant of FIN11). On June 6, Clop published a statement on its dark web portal, claiming to have exploited the MOVEit vulnerability to\u00a0exfiltrate data from hundreds of organizations.\n\nThe ransomware gang was reported to have hit at least three US government agencies by exploiting MOVEit file-transfer flaws. US feds offered a $10 million reward\u00a0for proof of Clop links to a foreign government.\n\nOn May 31, Progress announced patching the zero-day in the on-premises versions of MOVEit and its cloud test servers (MOVEit cloud). Additionally, the company acknowledged and patched several subsequent SQL injection vulnerabilities in MOVEit \u2014 CVE-2023-35036,\u00a0CVE-2023-35708,\u00a0CVE-2023-36934,\u00a0CVE-2023-36932, and\u00a0CVE-2023-36933 \u2014 from mid-June to early July, with an average CVSS of 9.4. \n\nAnother high-severity zero-day that worked the alarms all over last week was a critical flaw (CVSS 10.0) in the Atlassian Confluence data center and server. The high-rated bug, dubbed CVE-2023-22515, was\u00a0confirmed by Microsoft Threat Intelligence\u00a0to have a zero-day exploit by Chinese nation-state actor Storm-0062.