George Glass
Associate Managing Director
Cyber and Data Resilience
London
Webinar Replay: Lessons Learned from 50+ MOVEit IR Investigations
October 25, 2023
A deep dive into the MOVEit exploitation and incident response, from reconnaissance to exfiltration and its impact on third parties, with lessons learned from the frontline.
In Q2 2023, Kroll reported a notable shift towards increased supply chain risk, largely driven by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability. The MOVEit exploitation rendered even organizations with mature cybersecurity controls helpless and vulnerable to financial and reputational damage. Only a handful were able to detect the exfiltration, and even fewer could handle the consequences once a trusted partner fell victim.
In this virtual briefing, Kroll experts George Glass and Scott Downie examine the exploitation in detail and highlight lessons learned from over 50 incident response (IR) investigations handled by Kroll. They also brief participants on the complexities of third-party investigations, litigation considerations, breach notification challenges and the steps chief information security officers (CISOs) should take to raise preparedness.
The briefing covers:
- What led to the MOVEit exploitation?
- Why did the attack have a bigger impact?
- What were the key lessons learned?
- How can organizations improve their cybersecurity posture?
Key Sections From the Webinar
Backstory Behind the MOVEit Exploit
“In July of 2021, we saw from the data we had collected, that CLOP was developing or starting to develop and exploit for MOVEit, or at least showing careful attention to MOVEit applications—two years ahead of their mass exploit campaign.”– George Glass
After several members of the CLOP gang were arrested in 2019, the group has tended to favor data exfiltration and extortion. Over the years, the group has famously exploited vulnerabilities in Accellion, SolarWinds Serv-U and GoAnywhere all of which have affected hundreds if not thousands of organizations. However, all of this was only a precursor to their exploitation of the MOVEit transfer vulnerability. Let us see how.
Lessons Learned
Evolving Threat Landscape
“One of the things that we have noticed is that data extortion has become a lucrative business. Threat actors no longer must encrypt software and utilize double extortion tactics. They simply leverage data exfiltration and then ransoming that data back for payment.” – Scott Downie
Leveraging the Kroll Intrusion Lifecycle, Scott highlights how threat actors are changing their tactics based on the current threat landscape and simplifying their mode of attack to get paid with less effort. Do not miss this lesson.
Automated Exfil
“In 2022 and 2023, we have seen threat actors moving a lot quicker to get to their end goal. From an average dwell time of two to three days, we see threat actors with a dwell time of 15 minutes from initial exploit to data exfiltration, which is very consistent with an automated scripted attack.” – Scott Downie
One of the reasons for the wide impact of the MOVEit exfiltration was the automation fueling it. The automated script not only allowed threat actors to steal data from a broad array of victims but also allowed them to do so quickly, often in less than one hour, using two key exfiltration methods, as Scott explains.
Minimizing Impact
Getting Extended Visibility Across Your Digital Estate
What does your organization have in place to minimize the damage when an incident happens? Having handled thousands of incident response cases, Scott recommends empowering security operations teams with endpoint, network and behavioral monitoring capabilities to identify various attack tactics and augment response capabilities.
Questions Asked During the Briefing
Scott and George fielded questions from the audience about lessons learned from the MOVEit vulnerability and how organizations can improve their security posture. Hear what they were.
Connect With Us
MOVEit Vulnerability Investigations Uncover Additional Exfiltration Method
Threat Intelligence
MOVEit Vulnerability Investigations Uncover Additional Exfiltration Method
July 24, 2023
by Steven Coffey, Josh Mitchell, Dan Cox
Threat Intelligence
Responding to the Critical MOVEit Transfer Vulnerability (CVE-2023-34362)
June 7, 2023
by George Glass, Dave Truman
Managed Detection and Response
Microsoft Threat Detection and Response: Five Key Pitfalls (and How to Address Them)
April 24, 2023
by Rafael De Lima, Michael Cowley
Threat Intelligence
Q3 2022 Threat Landscape: Insider Threat, The Trojan Horse of 2022
November 8, 2022
by Keith Wojcieszek, George Glass
Cyber and Data Resilience
Incident response, digital forensics, breach notification, security strategy, managed security services, discovery solutions, security transformation.
Cyber Threat Intelligence
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
24x7 Incident Response
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Ransomware Preparedness Assessment
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll is headquartered in New York with offices around the world.
One World Trade Center
285 Fulton Street, 31st Floor
New York NY 10007
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2025 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.