Cyber-attacks are an ever-present menace in today’s digital landscape. Security professionals have to contend not only with direct attacks that target their applications and infrastructure but also indirect attacks in the form of supply chain compromises. The SolarWinds attacks was one such example in which a popular application was compromised and used as an entryway for attackers. We now have another example with the MOVEit Hack, whose global impact is a stark reminder of how dangerous these attacks remain.
In this article, we go over the attack and what measures can be taken to protect against it.
What is the MOVEit Hack?
The MOVEit Transfer tool is a popular file transfer tool developed by the US company Progress Software that is used by thousands of companies to transfer sensitive files. Cybercriminals were able to compromise this tool via a SQL injection vulnerability, allowing them to execute code on the victim’s environment remotely. Once compromised, the attackers could carry out further malicious actions, such as listing files and creating users to gain a further foothold in the network.
The attack was a zero-day, meaning no fix or patch was available to fix it at the time of compromise. Cybercriminals ruthlessly used this to exploit the weakness, compromising many high-profile companies, including UK brands like Boots, British Airways, and the BBC. Other significant names like the US Department of Energy, John Hopkins University, Shell, and the New York City Department of Education system were also notable victims.
Interestingly, some companies that were compromised, like BBC, did not use MOVEit and instead were compromised as their payroll processor was the victim of the hack. The Russian group, Lace Tempest, already known for several similar attacks, has taken credit for the compromise and threatened to publish the data it has stolen if the companies do not negotiate with them.
Progress Software published an advisory on the attack to fix the vulnerability and other recommendations to mitigate the attack, such as blocking specific ports, checking for suspicious files, and restricting access to trusted IP addresses until the patch was applied.
How to prevent future breaches
Attacks like SolarWinds and MOVEit are difficult to defend against as they do not directly attack the infrastructure but instead abuse the trust within the Software supply chain. Along with a comprehensive security strategy built around defense in depth, some of the key controls to implement are:
Effective Patch Management: The speed at which attackers started compromising environments once the breach was available makes patch management essential. Fixes for critical vulnerabilities like MOVEit cannot be delayed and must be implemented immediately, which require a mature patch management strategy to be in place.
Mature cybersecurity framework: This zero-day vulnerability also underscores the need for a mature security environment built around multiple layers of security controls. Until such time a patch was available, companies needed to increase their vigilance to detect any suspicious activity within their environment. Controls like 24/7 monitoring, hardening, and microsegmentation can prevent criminals from laterally moving within the environment and causing further damage.
Vendor Risk Management: MOVEit and SolarWinds before it underscores the need for a robot vendor security risk management process to be put in place. Companies must insist their partners follow strict security standards to prevent their environments from being compromised. Security is only as strong as its weakest link, and supply chains can have multiple weak link to be taken advantage of
Business Continuity Processes: Companies dependent on MOVEit’s file transfer capabilities for critical business operations might have experienced severe business disruption in light of the attack. Even if their environment was not compromised, halting usage of this tool can result in loss of revenue and customer trust unless appropriate business continuity processes are absent.
Incident Response and Legal: Cyber Security professionals must ensure that their incident response plans contain adequate provisions for Legal help in case they face a situation similar to MoveIt. In such cases, legal advice is needed on the course of action, and it is not advised to engage with the attackers directly.
Threat Intelligence: An effective threat intel feed can be invaluable to be alerted proactively against zero-day threats like MOVEIt. Even if no patch is available, being alerted about compromises can enable companies to move fast and increase vigilance before they get compromised.
Conclusion
MOVEit is another incident highlighting the importance of not becoming complacent within cybersecurity. Just like SolarWinds was a wake-up call across the globe, MOVEit reminds cybersecurity professionals that supply chain attacks remain a serious risk and decades-old attacks like SQL injections can still compromise environments. As we move towards an increasingly interconnected cyberspace, a robot cybersecurity framework is no longer a luxury but a necessity.
Frequently Asked Questions
What was the MOVEit Hack?
The MOVEit Hack was a zero-day cyber-attack by exploiting a SQL injection vulnerability in the MOVEit Transfer tool. This tool, developed by the US company Progress Software, is used by thousands of companies for secure data transfer. The cybercriminals successfully executed code on the victim’s environment and carried out malicious activities leading to widespread compromises.
Who were the victims of the MOVEit Hack?
Several high-profile companies, including Boots, British Airways, BBC, the US Department of Energy, John Hopkins University, Shell, and the New York City Department of Education system, were compromised during the MOVEit Hack. Interestingly, some entities like the BBC did not directly use MOVEit but were indirectly affected due to their partners falling victim to the hack.
What steps were taken by Progress Software following the hack?
In response to the hack, Progress Software published an advisory outlining the vulnerability and providing recommendations to mitigate the attack. These steps included blocking specific ports, checking for suspicious files, and shutting down MOVEit until the security patch was applied.
How can companies prevent future breaches similar to the MOVEit Hack?
Companies can take several measures to prevent similar cyberattacks, including having an effective patch management strategy, developing a robust cybersecurity framework, adopting mature vendor risk management processes, ensuring business continuity, involving legal aid in incident response plans, and incorporating effective threat intelligence feeds. With an increasing dependency on interconnected digital platforms, maintaining a robust cybersecurity infrastructure is no longer a luxury but a necessity.