MOVEit Massacre: The Supply Chain Attack That Compromised Thousands
We just watched a master class in supply chain exploitation, and the lesson is as old as computing itself: proprietary black boxes will eventually bite you in ways you can't predict or prevent.
MOVEit Transfer—a file transfer tool you've probably never heard of unless you work in enterprise IT—just became the vector for one of the most devastating supply chain attacks in history. A zero-day SQL injection vulnerability. A ransomware group called Cl0p. And somewhere north of 600 organizations compromised, affecting tens of millions of people.
The kicker? This software was supposed to be the secure way to transfer sensitive files.
What the hell is MOVEit and why should I care?
MOVEit Transfer is managed file transfer software. The kind of thing companies use to move payroll data, customer information, health records—basically all the stuff that's too sensitive to just email or upload to Dropbox.
It's made by Progress Software, costs a small fortune, and is used by thousands of enterprises and government agencies. BBC, British Airways, multiple US federal agencies, major healthcare organizations. All trusted this closed-source, proprietary system to protect their most sensitive data.
Then Cl0p—a ransomware gang with roots in Russia—found a SQL injection vulnerability that let them waltz right in and exfiltrate whatever they wanted. They hit over 600 organizations before the vulnerability was even publicly disclosed. That's not a breach. That's an industrial-scale heist.
The myth of security through obscurity
Here's what kills me about this: the whole selling point of proprietary security software is that attackers can't see the source code, so they can't find vulnerabilities as easily. Security through obscurity, they call it.
Except it's not security. It's just obscurity.
Open source software has thousands of eyes reviewing the code. Security researchers, academics, hobbyists—all poking at it, finding bugs, submitting patches. The assumption is that the code will be attacked, so it better be solid.
Proprietary software? The only people looking at it are the vendor's employees (who have every incentive to ship features rather than fix bugs) and attackers who are highly motivated to find vulnerabilities they can exploit before anyone else discovers them.
And when those attackers find something—like this SQL injection bug that should have been caught in code review a decade ago—they don't responsibly disclose it. They exploit the hell out of it until they're discovered.
The vendor lock-in nightmare
The MOVEit attack also exposed another uncomfortable truth: when you're locked into proprietary software, you're at the vendor's mercy for security updates and incident response.
Progress Software discovered the vulnerability on May 31st. They pushed a patch. Sounds good, right? Except the vulnerability had been actively exploited since at least May 27th—possibly earlier. And many organizations didn't even know they needed to patch until the media started reporting mass breaches.
Compare that to open source software, where vulnerabilities are disclosed publicly, analyzed by the community, and patches can be developed and deployed by anyone who needs them. You're not waiting for a vendor's patch schedule or hoping they even tell you there's a problem.
With proprietary software, you're a passenger in someone else's car during a crash. You have no control over the steering wheel, no visibility into what went wrong, and no ability to fix it yourself.
The data exfiltration cascade
What makes this attack particularly nightmarish is the cascading nature of the compromises. The attackers didn't just hit one target. They systematically compromised any organization running vulnerable versions of MOVEit.
Zellis, a UK payroll provider, got breached. That meant data from British Airways, BBC, Boots—basically anyone who used Zellis for payroll—was compromised. One breach turned into dozens.
PBI Research Services, a background check company, got hit. That compromised personal information of people who applied for jobs at dozens of major companies.
The Louisiana Office of Motor Vehicles got breached. That's every driver's license holder in the state.
This is supply chain exploitation in its purest form. Attack one vendor, compromise everyone who depends on them. Rinse, repeat, profit.
Where backups fail spectacularly
Now here's the really fun part: many organizations that got hit probably had backups. Good ones, even.
Doesn't matter. The attackers didn't encrypt anything. They just stole the data. Your backups don't protect against exfiltration—they're for recovery from data loss or ransomware encryption.
This is why the whole "just restore from backup" mantra is insufficient. It assumes the attack is about availability—making your data inaccessible until you pay. But increasingly, attacks are about confidentiality. They steal your data and threaten to publish it unless you pay.
Backups can't unring that bell. Once your sensitive data is exfiltrated, no amount of backups will make it private again.
The only real protection is not having the data compromised in the first place. Which means not trusting proprietary black boxes with critical data.
The open source advantage nobody wants to discuss
If MOVEit Transfer were open source, would this attack have been prevented? Maybe not. Open source software has vulnerabilities too.
But here's the difference: with open source, the vulnerability would have been found and patched years ago by someone doing a code review. Or if it wasn't, security researchers would have discovered it and disclosed it publicly, forcing a fix before ransomware gangs could weaponize it.
With open source, you can audit the code yourself. You can verify that it's doing what it claims to do. You can hire independent security firms to review it. You have transparency.
With proprietary software, you're taking the vendor's word that they've built something secure. And as MOVEit demonstrates, sometimes that word isn't worth much.
Breaking free from the proprietary prison
The MOVEit attack should be a wake-up call about vendor lock-in, particularly for critical security infrastructure.
When you use proprietary backup software, you're trusting that the vendor has built something secure, will continue supporting it, will promptly disclose and patch vulnerabilities, and won't go out of business or pivot to a different market.
That's a lot of trust to place in someone else.
Open source alternatives exist for almost everything. For backups, you've got restic, Borg, Duplicacy. For file transfer, there's dozens of options. They're not always as polished. They might require more technical knowledge. But they're transparent, auditable, and you're not locked in.
If a vulnerability is found, you can patch it yourself or switch to a fork. If the project gets abandoned, you can maintain it yourself or migrate to something else. You're not a hostage to a single vendor's decisions.
The uncomfortable conclusion
The MOVEit breach compromised hundreds of organizations and millions of people because everyone trusted a proprietary black box to do something critical securely.
That trust was misplaced. Not because Progress Software is uniquely incompetent—they're probably about average for enterprise software vendors. But because security through obscurity doesn't work, vendor lock-in is dangerous, and closed-source software can hide vulnerabilities for years before they're exploited catastrophically.
Your data is too important to hand off to a proprietary system you can't audit, can't modify, and can't migrate away from easily.
Use open source where you can. Maintain the ability to switch vendors without losing everything. And never, ever trust that expensive proprietary software is inherently more secure just because someone is charging you for it.
The price tag isn't a guarantee of security. Sometimes it's just the cost of vendor lock-in.
—Checking if any of my tools start with MOV