Skip to content
Make Your Internet Intelligence Blossom | Get 20% off Censys Search Teams or Solo annual plans with code Spring24 by 5/31 | Save Now
Blogs

MOVEit: an Industry Analysis

Share

June 13, 2023
Tags:
  • 30.86% of the hosts running MOVEit are in the financial services industry, 15.96% in healthcare, 8.82% in information technology, and 7.56% in government and military.
  • 29% of the companies we observed have over 10,000 employees, indicating that this service is used in a variety of large organizations.
  • Companies based in the United States account for a significant majority, comprising 69%, of MOVEit hosts.

 

Note: As Censys is an internet scanner, we cannot determine if these devices are vulnerable; these are the MOVEit services we found running exposed on the internet. 

Introduction

Recently, Managed File Transfer (MFT) services have been gaining considerable attention in the realm of security. Although MFT may not be a regular discussion topic, it is worth noting that the past two significant vulnerabilities we covered were aimed at systems and software explicitly designed to facilitate MFT operations. In 2021, Businesswire reported a projected growth of the MFT industry, reaching a staggering $2.4 billion by 2027, with an annual estimate of $398 million that year alone. This emerging sector is now revealing its security implications.

MFT represents a progressive advancement of the FTP protocol, enabling businesses to transfer files between designated locations securely. Along with this simple feature, many of these services provide advanced security and encryption and conform to regulatory and compliance standards like HIPAA and PCI DSS, making them a very high-value target to attackers.

Rapid7 recently published a highly detailed and insightful analysis of the recent MOVEit MFT vulnerability, including a functioning exploit chain that can be seen on Attackerkb. This analysis revealed that the vulnerability is more complex than initially anticipated; exploiting it involves utilizing SQL injection and some request smuggling techniques, further detailed in this link.

Meanwhile, as security engineers were grappling to understand the particular exploit, we focused on identifying the industries that could potentially be affected by this vulnerability.

In conducting our analysis, we examined over 1,400 MOVEit servers that were openly accessible on the internet. Using various data points furnished by the host and the networks operating these hosts, we were able to associate them with specific companies or organizations. We will not discuss specific companies here; instead, we will talk about the industries within which these companies exist.

While the quantity of these particular hosts may appear modest when considering the vast expanse of the internet, the troubling aspect lies in the large size of the companies involved and the highly sensitive data they handle.

Analysis

Industries with MOVEit Hosts

Based on our analysis, 30.86% of the examined hosts belonged to financial service-related organizations, 15.96% were associated with the healthcare sector, 8.92% were linked to Information Technology organizations, and 7.5% were attributed to government and military entities. Additionally, 4.41% of the hosts were from the energy sector, while 4.06% were in the manufacturing industry. The above graph shows the top ten sectors where this MOVEit software was found running.

MOVEit hosts in the Financial Services industry broken down by country.

In the financial sector, a significant majority of these organizations (72%) were based in the United States, while a smaller percentage (5.9%) were located in the United Kingdom. Notably, these companies can be classified as medium to large-sized, with just under 25% having 1,000-5,000 employees and approximately 22% reporting over 10,000 employees.

Fortra, a company facing its fair share of security concerns, has shed light on some specific ways the financial industry leverages MFT services. MFT is a valuable tool for automating various tasks, most notably the secure transfer of sensitive financial data. This data encompasses crucial financial information like credit card details, retirement plans, and tax applications, which are exchanged with external data providers such as other credit bureaus and the infamous Equifax.

MOVEit hosts in the Healthcare industry broken down by country

The use of MOVEit in the healthcare industry is a significant concern because healthcare organizations commonly employ it to transfer sensitive electronically protected health information (ePHI) and electronic health record data (EHR) between hospitals, pharmacies, and insurance companies. This means that the data found on these servers aren’t just company-proprietary data; it’s personally identifiable information (PII).

This usage accounts for a significant portion of MOVEit activity, representing 15.96% of MOVEit hosts. Among these healthcare institutions, about 79% are based in the United States, with France hosting approximately 7.02%. Unlike the finance sector, most of these healthcare companies are large-scale entities, employing over 10,000 individuals, making up 29.91% of the total.

Conversely, the information technology sector comprises a smaller fraction of MOVEit hosts, making up just 8.92%. Within this sector, small to medium-sized companies with 11-50 employees comprise 29.3% of MOVEit hosts, suggesting that this industry is not the primary user base for this service.

Government and Military organizations also use MOVEit, constituting approximately 7.56% of total MOVEit users. These organizations are primarily located in the US, accounting for 83.33%, followed by the UK with 6.48%, and Canada with 3.7%. Among these, multiple organizations, including the government of Nova Scotia, Canada, the Illinois Department of Innovation & Technology, and the Minnesota Department of Education, have publicly come forward as victims of MOVEit transfer breaches. This is particularly alarming because compromising classified documents and civilian data within government and military MFT instances can threaten national security and the lives of individuals involved.

Conclusion

If there is any crucial takeaway we can learn from this, data security is not the same thing as application security. Even though the systems that are being used comply with all of the newest regulations, the software still needs to be written (and audited) in such a way that assures the safety of that data. And while it’s understandable that not every software package can be looked at through a microscope, any software we use that requires direct access to the internet should be scrutinized by all parties involved before it is deployed.

Multiple organizations have fallen victim to data theft through the exploitation of this zero-day over the past few weeks, and based on the current level of exposure, the number of affected organizations will likely continue to rise.

As companies experience growth and their networks expand, managing and identifying every individual service accessible on the public internet becomes increasingly challenging for IT departments. Without adequate policies and monitoring in place, organizations may find themselves taken by surprise by these types of vulnerabilities. It is of utmost importance for organizations to possess a comprehensive understanding of the applications and services operating within their networks and to fully grasp the potential consequences that may arise in the event of a compromise to those services.

Security vulnerabilities like this pose a significant risk to the privacy of ordinary everyday citizens, not just companies; these systems have been built to aid in compliance for large companies but have failed us when it comes to protecting their own security.

Back to Resources Hub
Attack Surface Management Solutions
Learn more