Introduction
In the world of cybersecurity, paradoxes abound. On the one hand, companies are investing millions, even billions, to combat Advanced Persistent Threats (APTs). On the other hand, the software is being built with vulnerabilities like SQL injection, a threat that has been known for almost 25 years. This dichotomy underscores the importance of a robust cybersecurity strategy and the need for continuous vigilance.
Background
MOVEit, a managed file transfer software developed by Ipswitch, Inc. (now part of Progress Software), is used by thousands of IT departments in healthcare, financial services, technology, and government. It encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics, and failover options.
In May 2023, a vulnerability in MOVEit was exploited, leading to a series of breaches in various organizations. The vulnerability, a SQL injection flaw, allowed an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database. Despite developing and releasing a security patch, the vulnerability was not fully addressed, leading to further breaches.
The Breach
The MOVEit vulnerability was exploited starting May 27, 2023. By June 5, several organizations in the United Kingdom, including the BBC, British Airways, Boots, Aer Lingus, and payroll service Zellis, were breached. On June 12, Ernst & Young, Transport for London, and Ofcom separately announced that they had been affected, with Ofcom announcing that personal and confidential information was downloaded.
On June 15, CNN reported that the United States Department of Energy was among multiple United States government organizations affected by the MOVEit vulnerability. The following day, the Louisiana Office of Motor Vehicles and Oregon Driver and Motor Vehicle Services were hit, affecting millions of residents.
All of the hacking activity has been attributed to the Russian-speaking Clop crime syndicate.
The Aftermath
The exploits on flaws found in the MOVEit tool were originally disclosed on May 31 by Progress software. The SQL Injection vulnerability led to the escalation of privileges along with other less critical vulnerabilities. Upon investigating the zero day, two patches were issued.
Microsoft attributed the exploits to Clop, a Russian ransomware group. They claimed responsibility for the breaches prior to the federal government claiming they had “no interest” in data stolen from government and police offices, only the business information stolen. CISA officials are currently claiming no ties to the Russian government.
The victim list is extensive, including US Government entities, Illinois state government, Minnesota’s Department of Education, Missouri state government, Nova Scotia’s government, British Airways, Shell – British oil and gas, John Hopkins University, University System of Georgia, 1st Source, First National Bankers Bank, education non-profit National Student Clearinghouse, Boston-based investment management firm Putnam Investments, the Netherlands-based Landal Greenparks, GreenShield Canada a non-profit benefits carrier, financial software provider Datasite, United Healthcare Student Resources, American manufacturer Leggett & Platt, Swiss insurance company ÖKK, BBC, Aer Lingus, Ofcom the U.K.’s communications regulator, Transport for London (TfL), Zellis is a U.K. payroll company, U.K. drugstore chain Boots.
CISA director Jean Easterly claims minimal exposure to data and federal networks and no encryption put in place, cited as not a systemic or national security risk. “As far as we know these actors are only stealing information that is specifically being stored on the file-transfer application at the precise time that the intrusion occurred” – Jen Easterly.
What Companies Should Do to Protect Themselves
Progress Software is recommending that any organization remove their systems with MOVEit in use offline until they can apply patches. This is a critical step to prevent further exploitation of the vulnerability.
Key Insights
The SQL injection exploit was first documented in 1998 by cybersecurity researcher and hacker Jeff Forristal. It’s alarming that after 25 years, we are still vulnerable to such a known attack. This raises questions about the testing procedures of software vendors and the level of trust companies place in these vendors.
The Software Bill of Materials (SBOM) needs to be more thought of, and a recommended structure needs to be defined to build trust between software vendors and the companies. But who validates and regulates SBOM?
Companies need to consider the criticality and materiality of the assets they are placing third-party software on. It is not enough to give it a vendor review using a data classification for guidance. Any vendors being placed on material assets should require a thorough risk assessment. Also, in this case, the vendor is recommending to take any assets with their software completely offline until patches can be implemented. If your asset is material, could you survive this kind of downtime without serious impact?
In conclusion, your security is as good as your weakest link. It’s crucial to ensure that all aspects of your cybersecurity strategy, from the software you use to the vendors you trust, are robust and reliable.
Join Thousands of Weekly Readers
Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.
The Aftermath
The exploits on flaws found in the MOVEit tool were originally disclosed on May 31 by Progress software. The SQL Injection vulnerability led to the escalation of privileges along with other less critical vulnerabilities. Upon investigating the zero day, two patches were issued.
Microsoft attributed the exploits to Clop, a Russian ransomware group. They claimed responsibility for the breaches prior to the federal government claiming they had “no interest” in data stolen from government and police offices, only the business information stolen. CISA officials are currently claiming no ties to the Russian government.
The victim list is extensive, including US Government entities, Illinois state government, Minnesota’s Department of Education, Missouri state government, Nova Scotia’s government, British Airways, Shell – British oil and gas, John Hopkins University, University System of Georgia, 1st Source, First National Bankers Bank, education non-profit National Student Clearinghouse, Boston-based investment management firm Putnam Investments, the Netherlands-based Landal Greenparks, GreenShield Canada a non-profit benefits carrier, financial software provider Datasite, United Healthcare Student Resources, American manufacturer Leggett & Platt, Swiss insurance company ÖKK, BBC, Aer Lingus, Ofcom the U.K.’s communications regulator, Transport for London (TfL), Zellis is a U.K. payroll company, U.K. drugstore chain Boots.
CISA director Jean Easterly claims minimal exposure to data and federal networks and no encryption put in place, cited as not a systemic or national security risk. “As far as we know these actors are only stealing information that is specifically being stored on the file-transfer application at the precise time that the intrusion occurred” – Jen Easterly.
What Companies Should Do to Protect Themselves
Progress Software is recommending that any organization remove their systems with MOVEit in use offline until they can apply patches. This is a critical step to prevent further exploitation of the vulnerability.
Key Insights
The SQL injection exploit was first documented in 1998 by cybersecurity researcher and hacker Jeff Forristal. It’s alarming that after 25 years, we are still vulnerable to such a known attack. This raises questions about the testing procedures of software vendors and the level of trust companies place in these vendors.
The Software Bill of Materials (SBOM) needs to be more thought of, and a recommended structure needs to be defined to build trust between software vendors and the companies. But who validates and regulates SBOM?
Companies need to consider the criticality and materiality of the assets they are placing third-party software on. It is not enough to give it a vendor review using a data classification for guidance.
Any vendors being placed on material assets should require a thorough risk assessment. Also, in this case, the vendor is recommending to take any assets with their software completely offline until patches can be implemented. If your asset is material, could you survive this kind of downtime without serious impact?
In conclusion, your security is as good as your weakest link. It’s crucial to ensure that all aspects of your cybersecurity strategy, from the software you use to the vendors you trust, are robust and reliable.
