In May of this year, Progress Software Corporation (formerly Ipswitch) disclosed a vulnerability in MOVEit Transfer and MOVEit Cloud that could lead to escalated privileges and unauthorized access to a given environment. Within 48 hours of discovery, Progress Software launched an investigation, provided mitigation steps and released a security patch. But resolving the issue wasn’t that simple…
During that brief timeframe, the Clop ransomware group exploited the vulnerability and launched a supply chain attack against MOVEit users. In the course of the attack, business-owned and managed data (belonging to millions of individuals) was compromised.
Supply chain vulnerabilities
This incident is a textbook example of how easy it is for cyber criminals to exploit the software supply chain. According to a report by the non-profit organization Identity Theft Resource Center, supply chain attacks surpassed malware-based attacks by 40% in 2022, with more than 10 million people and 1,743 entities affected.
Most organizations invest time and resources in order to increase cyber resiliency, but many forget to assess how secure their third-party providers are. In some cases, organizations have limited visibility into the software and services that they rely on, rendering vulnerability patching very difficult.
MOVEit fallout and third vulnerability
More than 100 organizations have been affected by the MOVEit zero day. Victims include the government of Nova Scotia, and the U.S. government, which has confirmed that multiple federal agencies were compromised through the vulnerability.
Following the initial disclosure of the MOVEit vulnerability, two additional related vulnerabilities were identified. As it has just been discovered, the latest vulnerability is described as an SQL injection flaw that could allow an unauthenticated cyber criminal to escalate privileges and access the MOVEit Transfer database.
“An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content,” stated the National Institute of Standards and Technology (NIST). Progress Software says that it is working with industry partners to address the issues.
To operate responsibly, organizations need to understand third-party weaknesses as if they were their own. This is crucial. An attack may not only affect a targeted organization, but may also affect business partners and their employees, whose data may become compromised.
When personal information is compromised, individuals are suddenly at higher risk of becoming targets of other types of cyber attacks. In turn, organizational security is at greater risk, as targeted employees may click on phishing links, provide sensitive business information to suspicious callers…etc.
It’s critical for businesses to adopt a prevention-first mindset. Businesses also need to implement tight controls to limit the impact of attacks and need to advance monitoring systems to ensure a high level of visibility across attack vectors.
“It’s important to note, organizations that have adopted a defensible security architecture — including the use of Web Application Firewalls (WAF) and ZTNA (zero trust network access) solutions — would have a higher chance of preventing this attack, even if their servers were unpatched,” says BlackBerry Vice President of Threat Intelligence Ismael Valenzuela.
For more general insights into the MOVEit vulnerability, please click here. For MOVEit vulnerability mitigation measures, please click here. Lastly, subscribe to the CyberTalk.org newsletter for executive-level interviews, analyses, reports and more each week. Subscribe here.