Zero-day SQL injection in MOVEit Transfer let the Clop group pull database contents and, more critically, harvest stored credentials that reached far beyond the initial targets. The campaign against Progress Software’s file-transfer product ultimately touched more than 2,000 organizations and exposed personal information belonging to over 60 million individuals.
Within days, operators had obtained Windows account hashes, MOVEit application passwords, and SSH keys from compromised servers. These materials enabled authenticated access to additional MOVEit instances, Active Directory domains, and downstream data repositories that the original web shells could not directly reach. Supply-chain incidents of this type consistently produce higher costs and longer containment timelines because one entry point creates reusable access across many separate environments.
Credential Collection and Lateral Access
Most organizations had already enabled MFA on administrative accounts. The factors in use, however, still depended on reusable secrets. Once attackers held valid usernames and passwords from the breached host, they could approve push notifications, intercept one-time codes sent to compromised endpoints, or replay session tokens pulled from memory. The second factor added no additional barrier because the first factor itself had been harvested directly from the server.
Verizon’s 2024 DBIR notes that third-party and supply-chain involvement appeared in 15 percent of breaches, a 68 percent year-over-year increase. The MOVEit incident demonstrated the downstream consequence: organizations that never operated MOVEit still suffered data loss when credentials obtained from one tenant granted access to shared repositories.
Why Standard MFA Did Not Limit the Blast Radius
Traditional MFA protects only the initial login event. Registration, device enrollment, service-account configuration, and policy changes continue to rely on passwords, email links, or codes that can be captured once they exist on a compromised system. In this campaign attackers never needed to phish users; they simply reused credentials already present on the first breached host. Any architecture that treats those credentials as sufficient for subsequent authentication inherits the same exposure across the entire supply chain.
Device-Bound Public-Key Credentials Change the Outcome
MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography—the same technology used in Apple Pay and Google Pay. It relies on device-bound credentials with no central credential database and performs same-device authentication without requiring a second device. Because no reusable secret is ever transmitted or stored, harvested passwords or hashes become useless.
If MOVEit administrative and service accounts had used device-bound credentials, the post-exploitation phase would have stopped at the first web shell. Attackers could still have read data reachable through the zero-day, but they would have held no reusable material for authenticating elsewhere. Lateral movement and bulk exfiltration from additional tenants would have required a fresh compromise for each target.
Implementations such as AuthN by IDEE demonstrate how registration, device onboarding, authorization, and decommissioning can operate without ever transmitting or storing a reusable secret. A zero-day can always reach whatever data the application itself can access; the decisive variable is whether that foothold converts into persistent, high-volume access across an organization or supply chain.
