- 30.86% of the hosts running MOVEit are in the financial services industry, 15.96% in healthcare, 8.82% in information technology, and 7.56% in government and military.
- 29% of the companies we observed have over 10,000 employees, indicating that this service is used in a variety of large organizations.
- Companies based in the United States account for a significant majority, comprising 69%, of MOVEit hosts.
Note: As Censys is an internet scanner, we cannot determine if these devices are vulnerable; these are the MOVEit services we found running exposed on the internet.
Recently, Managed File Transfer (MFT) services have been gaining considerable attention in the realm of security. Although MFT may not be a regular discussion topic, it is worth noting that the past two significant vulnerabilities we covered were aimed at systems and software explicitly designed to facilitate MFT operations. In 2021, Businesswire reported a projected growth of the MFT industry, reaching a staggering $2.4 billion by 2027, with an annual estimate of $398 million that year alone. This emerging sector is now revealing its security implications.
MFT represents a progressive advancement of the FTP protocol, enabling businesses to transfer files between designated locations securely. Along with this simple feature, many of these services provide advanced security and encryption and conform to regulatory and compliance standards like HIPAA and PCI DSS, making them a very high-value target to attackers.
Rapid7 recently published a highly detailed and insightful analysis of the recent MOVEit MFT vulnerability, including a functioning exploit chain that can be seen on Attackerkb. This analysis revealed that the vulnerability is more complex than initially anticipated; exploiting it involves utilizing SQL injection and some request smuggling techniques, further detailed in this link.
Meanwhile, as security engineers were grappling to understand the particular exploit, we focused on identifying the industries that could potentially be affected by this vulnerability.
In conducting our analysis, we examined over 1,400 MOVEit servers that were openly accessible on the internet. Using various data points furnished by the host and the networks operating these hosts, we were able to associate them with specific companies or organizations. We will not discuss specific companies here; instead, we will talk about the industries within which these companies exist.
While the quantity of these particular hosts may appear modest when considering the vast expanse of the internet, the troubling aspect lies in the large size of the companies involved and the highly sensitive data they handle.
Based on our analysis, 30.86% of the examined hosts belonged to financial service-related organizations, 15.96% were associated with the healthcare sector, 8.92% were linked to Information Technology organizations, and 7.5% were attributed to government and military entities. Additionally, 4.41% of the hosts were from the energy sector, while 4.06% were in the manufacturing industry. The above graph shows the top ten sectors where this MOVEit software was found running.