Webinar Replay: Lessons Learned from 50+ MOVEit IR Investigations

October 25, 2023
A deep dive into the MOVEit exploitation and incident response, from reconnaissance to exfiltration and its impact on third parties, with lessons learned from the frontline.
MOVEIt Vulnerability Incident Response Webinar—Cyber Risk

In Q2 2023, Kroll reported a notable shift towards increased supply chain risk, largely driven by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability. The MOVEit exploitation rendered even organizations with mature cybersecurity controls helpless and vulnerable to financial and reputational damage. Only a handful were able to detect the exfiltration, and even fewer could handle the consequences once a trusted partner fell victim.

In this virtual briefing, Kroll experts George Glass and Scott Downie examine the exploitation in detail and highlight lessons learned from over 50 incident response (IR) investigations handled by Kroll. They also brief participants on the complexities of third-party investigations, litigation considerations, breach notification challenges and the steps chief information security officers (CISOs) should take to raise preparedness.

The briefing covers:

  • What led to the MOVEit exploitation?
  • Why did the attack have a bigger impact?
  • What were the key lessons learned?
  • How can organizations improve their cybersecurity posture?


Key Sections From the Webinar

MOVEIt Vulnerability Incident Response Webinar—Cyber Risk

Backstory Behind the MOVEit Exploit


“In July of 2021, we saw from the data we had collected, that CLOP was developing or starting to develop and exploit for MOVEit, or at least showing careful attention to MOVEit applications—two years ahead of their mass exploit campaign.”– George Glass

After several members of the CLOP gang were arrested in 2019, the group has tended to favor data exfiltration and extortion. Over the years, the group has famously exploited vulnerabilities in Accellion, SolarWinds Serv-U and GoAnywhere all of which have affected hundreds if not thousands of organizations. However, all of this was only a precursor to their exploitation of the MOVEit transfer vulnerability. Let us see how.

MOVEIt Vulnerability Incident Response Webinar—Cyber Risk

Lessons Learned

Evolving Threat Landscape


“One of the things that we have noticed is that data extortion has become a lucrative business. Threat actors no longer must encrypt software and utilize double extortion tactics. They simply leverage data exfiltration and then ransoming that data back for payment.” – Scott Downie

Leveraging the Kroll Intrusion Lifecycle, Scott highlights how threat actors are changing their tactics based on the current threat landscape and simplifying their mode of attack to get paid with less effort. Do not miss this lesson.

Automated Exfil


In 2022 and 2023, we have seen threat actors moving a lot quicker to get to their end goal. From an average dwell time of two to three days, we see threat actors with a dwell time of 15 minutes from initial exploit to data exfiltration, which is very consistent with an automated scripted attack.” – Scott Downie

One of the reasons for the wide impact of the MOVEit exfiltration was the automation fueling it. The automated script not only allowed threat actors to steal data from a broad array of victims but also allowed them to do so quickly, often in less than one hour, using two key exfiltration methods, as Scott explains.

MOVEIt Vulnerability Incident Response Webinar—Cyber Risk

Minimizing Impact

Getting Extended Visibility Across Your Digital Estate

What does your organization have in place to minimize the damage when an incident happens? Having handled thousands of incident response cases, Scott recommends empowering security operations teams with endpoint, network and behavioral monitoring capabilities to identify various attack tactics and augment response capabilities.


Questions Asked During the Briefing

Scott and George fielded questions from the audience about lessons learned from the MOVEit vulnerability and how organizations can improve their security posture. Hear what they were.

It was an automated attack, and the threat actors leveraged an automated script. This was consistent with how they were creating the account; hence, the big impact. As they leveraged an automated attack, they could take broadly from a lot of victims. We also noticed the attack was carried out extremely fast from beginning to end and the data exfiltration rate in this case was 100%. We did not find a client that was able to not have their data exfiltrated.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Threat Intelligence

Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.