What?
"Quick show of hands: whose data hasn't been stolen in the mass exploitation of Progress Software's vulnerable MOVEit file transfer application?"
Never heard of it.
Next?
-A.
Quick show of hands: whose data hasn't been stolen in the mass exploitation of Progress Software's vulnerable MOVEit file transfer application? Anyone? According to security shop Emsisoft, 2,620 organizations and more than 77 million individuals have been impacted to date, with millions in the past week alone have received …
Not in the slightest bit weird. I've never heard of it, and you have precisely zero knowledge of my professional obligations. But since you're interested, I'm not in any of the countries or industries mentioned in the report linked from the article. Neither am I professionally responsible for any kind of system administration or data security oversight.
-A.
To be fair, it's more a case of "we bought a product from a company whose security sucks". Avast can't plausibly, and shouldn't try to, create all the software they use internally in-house; that's not their area of expertise, nor a good use of resources.
Perhaps they should have been more diligent about testing the products they purchased. According to the original report from Progress the vulnerability is a SQL injection; maybe security-conscious customers should have done some penetration and fuzz testing before deploying MOVEit in production. (Some of our customers pen-test some of our products, and more power to 'em.)
Maybe Avast had MOVEit exposed on the Internet with inadequate (in the sense of "not up to what would generally be considered a best practice") firewalling; that's not clear from the article. Maybe an attacker got in some other way and pivoted to an underprotected MOVEit, and Avast ought to be using ubiquitous authentication ("zero-trust").
We don't have enough information to determine how much Avast were at fault here.
An excellent question. It's not a service I can get my head around. What is the business case for companies transferring data around, especially between parts of their own spread out organisation, that a middle-man can do it better or cheaper? A middle-man for the actual fibres and wires inbetween, but why would anyone need a middle-man to actually send the data for them?
I'm sure there are people here who will have good reasons for why MoveIt exists and people use their services, so please, do share that info because I'm stumped!
"but why would anyone need a middle-man to actually send the data for them?"
Because manglement have, in their wisdom complete lack of understanding how their businesses work and/or gullibility in the face of salesdroids, hollowed out their organisations to the point where they don't have anyone of their own capable of doing it.