Problems at Progress Software (PRGS)
Progress Software (NASDAQ: PRGS — $2.23 billion) produces enterprise software products used by over 100,000 businesses for services like chatbots, content management, and app development. Progress Software also offers a secure file transfer service, MOVEit, that accounts for ~4% of revenue and recently was part of a large data breach. The Bear Cave believes the MOVEit hack is a national scandal hidden in plain sight affecting the privacy of tens of millions of Americans and compromising some of our most important government agencies.
On its website, Progress Software proudly boasts of MOVEit’s important role in handling sensitive data for not just large corporations but also the U.S. government, saying in part,
“MOVEit helps IT teams at almost every federal civilian agency and military branch to securely transfer mission-critical information and assure the performance of their networked infrastructures and applications.”
In an 8-K filed on June 5 Progress Software disclosed,
“On the evening of May 28, 2023, our MOVEit technical support team received an initial customer support call indicating unusual activity within their MOVEit Transfer instance. An investigative team was mobilized and, on May 30, 2023, the investigative team discovered a zero-day vulnerability in MOVEit Transfer. The investigative team determined the zero-day vulnerability could provide for unauthorized escalated privileges and access to the customer’s underlying environment in both MOVEit Transfer and MOVEit Cloud.” (Emphasis ours)
Two days later, on June 7, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released a statement titled, “CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability.” CISA’s Executive Director for Cybersecurity, Eric Goldstein, said in part,
“CISA remains in close contact with Progress Software and our partners at the FBI to understand prevalence within federal agencies and critical infrastructure…”
Nine days later, on June 16, the U.S. Department of State’s Rewards for Justice account posted a “reward up to $10 million” for information “linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government.” The tweet linked to the June 7 CISA press release about the Progress Software MOVEit breach.
Let’s dig in.