It’s been almost three months since a flaw in the popular file-transfer app MOVEit was discovered and patched, yet the list of businesses and government agencies stung by the MOVEit breach continues to mount. And the rampage shows no signs of stopping.
By some counts, more than 40 million people and at least 600 public and private organizations may have been affected thus far by the zero-day MOVEit bug that was disclosed in late May. The latest high-profile victim is IBM, which confirmed last week that its use of the MOVEit application may have resulted in the exposure of millions of people’s healthcare records held by state agencies in Colorado and Missouri. These attacks, driven largely by the Russian ransomware gang Clop, have hit all levels of government as well as colleges, hospitals, banks, pension funds, stock traders, tech vendors, insurers, accountants, and an online gambling site.
Not surprisingly, legal action related to the cyber incident is exploding. Progress Software Corp., which makes MOVEit, faces at least 13 lawsuits in various federal courts around the United States, according to The Wall Street Journal. And because there are hundreds of thousands of MOVEit customers, attorneys are feverishly chasing people who received MOVEit data breach letters to see if they might want to join class-action suits.
In the past few weeks alone, litigation has been filed against the University of Rochester, the Teachers Insurance and Annuity Association, Johns Hopkins University, Maximus Federal Services, and Pension Benefit Information (a California Public Employees’ Retirement System service provider) have all been sued over the breach.
Which presents a very new problem for very old software. File transfer systems have been moving data around for decades and are considered vital to commerce.
File transfer programs are notoriously security-challenged because the data they handle is often unencrypted.
“Data is lifeblood for most organizations,” says Tim Morris, chief security officer for Tanium, a leading cybersecurity software firm (and the publisher of Focal Point). “But file transfer programs are notoriously security-challenged because the data they handle is often unencrypted. Add to that vulnerabilities like those in MOVEit, and cybergangs are going to have a field day with exploits.”
Luckily, there are steps enterprises can take to avoid becoming part of this massive data breach.
Why the MOVEit breach is such a pernicious problem
To get ahead of the problem, it helps to understand what’s behind it. On May 31, Progress announced it had learned of a MOVEit SQL injection vulnerability, where hackers can gain network access or control by inserting malicious code into input fields. Progress immediately launched an investigation, alerted MOVEit customers, provided mitigation steps, and released a patch 48 hours later.
“Many organizations were in fact able to deploy the patch before it could be exploited,” Eric Goldstein, a senior official at the U.S. Cybersecurity and Infrastructure Security Agency, told Reuters.
With many other vulnerabilities, the patch might have been enough to prevent widespread problems. But in this case, Clop hackers had already known about the MOVEit flaw, which was similar to the GoAnywhere MFT zero-day vulnerability in January, and had started launching attacks before Progress’ alert.
In other words, hackers had a head start. And if you listen to Progress, that edge, along with Clop’s aggression and the increasingly intertwined nature of data, software, and supply chains in our digital world, are key reasons why so many agencies and corporations are still discovering they’ve suffered MOVEit breaches.
The other reason, experts say, is that many companies didn’t take the need to patch as seriously as they should have.
Patching procrastination? This may be the real MOVEit culprit
Whether that’s true or not is difficult to assess. But security researchers such as Huntress, which successfully recreated the attack chain commonly used for exploiting the MOVEit vulnerability, have said the Progress Software patch “does effectively thwart our recreated exploit.”
It’s very Log4j-esque.
Progress suggests many organizations probably did not install the patch because they may not have taken the threat as seriously as they should have or didn’t have the time and resources to get it done quickly enough. Also, because MOVEit is used across supply chains, it’s entirely possible that some IT organizations didn’t even know they or their partners were using the file transfer product.
In that sense, “it’s very Log4j-esque,” says John Hammond, a cybersecurity researcher with Huntress, referring to the Apache vulnerability that’s been a persistent threat since its discovery in November 2021. By some estimates, 72% of organizations are still vulnerable to it.
How to minimize the threat of the MOVEit breach
So, what can an organization do if it hasn’t already taken steps to protect itself? Experts recommend these precautions:
You need to know if you or your suppliers have MOVEit and whether it could affect you. Take an application and asset inventory to figure out if you have any MOVEit servers in your tech stack. You’ll also want to reach out to suppliers and hold them accountable for the security of all the technology they’re using. The tech firm Prevalent has a useful list of questions you might ask during these conversations. “Even if what they have isn’t in your purviews, it’s still a component affecting how you keep your operations safe,” Hammond says.
Stating the obvious here, but you’re gambling with your corporate existence, reputation, and legal standing if you’re not installing all patches. Progress has said it will now issue service packs every two months or so. Watch for those. Most organizations seemingly understand the need to update and have moved 21 times faster than what’s considered typical to remediate this problem, according to a Bitsight report. As a result, the number of organizations vulnerable to the flaw has dropped somewhat—77% of the originally affected organizations are no longer vulnerable, Bitsight found. Of course, that means 23% remain vulnerable to attack.
Progress also recommends disabling all HTTP and HTTPS traffic to your MOVEit Transfer environment as an important mitigation. More specifically, you want to modify firewall rules to deny HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
Tim Morris, of Tanium, also recommends paying close attention to where you’re storing data and making sure it isn’t located in the same place as MOVEit for any length of time. “By getting the data off the edge and to a more secure place, it effectively reduces the ‘blast radius,’” says Morris. “That limits what an attacker can steal and minimizes the effect of the bug, making MOVEit a proxy that is quickly moving data but not storing it.”
Morris says it’s also vital to monitor network ports, protocols, and services, and to make sure security configurations on network infrastructure devices, like routers and firewalls, are activated.
Experts also suggest a number of common-sense cyber-hygiene steps, including:
- Updating network firewall rules to allow connections to MOVEit infrastructure only from trusted IP addresses.
- Reviewing and removing unauthorized users’ accounts, an essential task that too frequently gets pushed down on an organization’s security To Do list.
- Limiting file access to people who are already authenticated by the network, granting admin privileges only where absolutely necessary.
- Updating remote-access policies to allow inbound connections only from trusted IP addresses.
- Enabling multifactor authentication (MFA) to protect MOVEit accounts from unverified users.
- Pre-encrypting sensitive files using real algorithms like Advanced Encryption Standard (AES), a symmetric block cipher that can help quickly encrypt and decrypt transferred information (think of AES as a super-secure secret code that turns messages into gibberish only the right person can understand).
Like Hollywood moviemakers, hackers follow trends. If researchers find a vulnerability in a particular software category, and ransomware gangs profitably exploit it, then similar flaws and cyberattacks tend to follow.
File transfer attacks are in vogue right now, and this might not be the last time we hear about exploits involving MOVEit. Even if law enforcement succeeds in taking down Clop at some point, it remains critically important to read the news, watch for vendor alerts and letters, and screen for known indicators of compromises, because there will always be bad actors. For MOVEit Transfer updates, check here. For MOVEit Cloud, look here.
“I have a feeling MOVEit breaches are going to be a problem for a lot longer than we initially thought, bringing all sorts of costly headaches with them,” says Morris. “But if you’re patching and practicing reasonable cyber hygiene, you should be able to minimize any chance of being affected by this problem.”