MOVEit Attack – Security Tool Vendors Have Failed Us… AGAIN!

moveit breach

2023 MOVEit Cyber Attack to Affect the Masses

Yet again, here’s a prime example of how a security vendor has failed to provide a secure tool. Sure…MOVEit may have had a fancy sales pitch and enticing software promising to transfer sensitive files securely when in fact were not secure themselves.

The UK Evening Standard reported, “The Russian cybercriminal gang Clop has posted a threat on its website on the Dark Web telling victims affected by the recent cyber attack (involving the MOVEit  “Dropbox for enterprises” tool) to email them by June 14 to negotiate or face having their private data leaked onto the internet.”

This cyber attack is likely to hit as many as 100 plus companies that were using MOVEit in their cyber supply chain. It has already affected the government of Nova Scotia and Canada. Some of the companies affected include Zellis, an HR software provider, as well as the UK government-approved regulator for communications services, Ofcom, which oversees the broadcast, telecom and postal industries.

How Did Progress Address the Vulnerability?

Progress (MOVEit’s owner) has been extremely open about the vulnerability. They stated that with more than 100,000 customers around the world, it’s not yet known how many are using the MOVEit software, security industry experts In the UK are being very clear in their advice.

The company released a statement saying, “Anyone running MOVEit should be dusting off their incident response processes NOW and ensuring that the patch is applied and carrying out a forensic examination of its technology stack to look for signs of hostile activity.”

Protect Your Organisation from Cyber Supply Chain Attacks

If the MOVEit and SolarWinds breach can teach us anything — it’s to carefully choose cyber supply chain vendors. Take a step back and evaluate the decision processes you have in place when onboarding a tool into your stack.

Do you have a security vendor evaluation checklist in place? Does it include relevant questions like:

  • Was the product subject to “secure by design” principles and practices during development?
  • Has the product been subject to security testing?
  • Has your company been breached in the last five years?
  • Does the product provide remote connectivity to your company or any third parties?
  • Will you train my staff to understand the product’s performance and security requirements?

There are many more questions to cover than just the above but the last one is vital. The fact is that without the people in our organisations understanding the tools and how to use them — any  ‘cyber security’ tool implemented will at best reactive and at worst useless.

In the UK if you don’t report a breach within 72 hours to the Information Commissioners Office, you will face some very uncomfortable questions from them that could expose your organisation to a risk of one of their big fines. At the very least you’re going to cause your cyber security team weeks of remedial work to defend against accusations of expediency. Let’s look at how big this problem is specifically related to MOVEit. There are at least 1000 active unpatched servers that are still out in the wild as of 31 May 2023, and that’s just plain scary. This means many organisations are going to have some very difficult conversations with their Information Commissions (or their equivalents).

Many will argue that I am being unfair. “How the heck is a tool supposed to find zero-day vulnerabilities, that even Microsoft/AWS are not able to defend against?”

Let me state my main gripe again “People in our organisations understand that tools alone don’t reduce risk, or that without the correct detective processes in place, the tool is going to be, at best reactive, and at worst useless.”

Tools Alone, do NOT protect all the attack vectors we need to defend against.

You might be saying to yourself, “OK smarty pants, what vectors are you talking about?”

Cyber security risk is not about what technology a bad actor is using, it’s about the bad actor. A lack of patching and fit-for-purpose access control processes is the most often the cited root cause for large-scale data loss events.

No matter what tools you are using, without effective preventative and detective controls, run by educated and motivated people utilising them, they will de-risk your technology for you.

I am going to place a bet. If you have been affected by the MOVEit vulnerability, I will bet you a free consultation with Risk Crew, that the first thing your security resources did (the PEOPLE) was to go to Progress Software’s support site and look for the Hotfix PROCESS.

Now you may be saying, “Yeah but that’s reactive, you still haven’t explained how to stop this happening?”

Yes, that’s true and here is why. Until tool vendors are held accountable for products that simply do not work there is no motivation to employ better heuristics or smarter AI telemetry analysis to seek out unwanted bad actor behaviour.

Let’s not also forget, that due to the total lack of accountability displayed by the tool vendors — this is currently YOUR problem! And it will continue to be YOUR problem until the vendors are HELD accountable.

Steps to Secure Your Critical Assets If Affected by MOVEit

I hope your next question is, “OK, so what do I need to do?”

Being specific about MOVEit for a moment. Direct your PEOPLE to visit the Progress website to read this PROCESS and follow it.

The actual fix equates to 3 simple steps.

  1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment.
  2. Review, Delete and Reset Unauthorised files and user accounts,
  3. Apply the patch.

3 simple PROCESS steps for your PEOPLE to follow.

No quarter of a million Pound, Dollar or Euro tool is required.

Is that right you’re now asking, “That’s great thanks, but that doesn’t help me proactively. What do I need to do to assure the Confidentiality, Availability and Integrity of my (and my customers’) Information?”

Well, again it’s a simple 3 step process…

  1. Educate your PEOPLE! The MOVEit vector uses simple SQL Injection. Again, I am going to bet you a free Risk Crew consultation that somewhere in your Technical Risk Register a SQL injection is in there somewhere. It probably gets dusted off once a year at the mandatory technical risk review and the developers say, “I think IT have a tool to defend against this” and then it is put back on the shelf.Get your people to OWN the issues in the risk register and drive them to follow processes that reduce the risks. Don’t allow expediency to creep into risk management. You must own it as your tool vendors sure as hell won’t.
  2. Define and protect your information assets in a procedural manner. This means doing exactly what my previous employer did but OWNING those processes throughout your organisation. Gamify vulnerability management by offering bug bounties, and clearly lay out a process for Security by Design. Motivate your staff to procedurally question (at every stage) the risks that implementing that little bit of free open-source code just as much as the latest quarter million-pound slice of vapourware that you just bought.|
  3. MOST importantly get really (uncomfortably) close to your Technology providers and start demanding they deliver on the promises they make to keep you safe. Push them for more specific Service Level Agreements and service schedules that actually put pressure on them to provide more than just ephemeral and vague statements about how many threats you are protected against. remember your 99% detection rate is trumped straight away by a bad actor’s 1% success rate.

Finally, let me explain why I personally felt strongly enough to smash my keyboard into pieces this morning with my coffee steaming beside me almost as much as I was, with this blog post. I was up until Q4 last year working for an organisation that is now in the news because it used MOVEit extensively in its back-end processing to move customer files around its service offering.

I can’t be too specific about how and why this was done because, (no doubt like your organisation) my previous employer thought it was doing the right thing, was very conscientious. It had a solid pipelined development lifecycle for its SaaS product, It did component-level security reviews when new 3rd part technologies were being proposed; it carried out Data Privacy Impact Assessments (DPIAs) as a matter of course, and finally, it relied on tools to ensure that any vulnerabilities were captured.

And therein lies the problem. No matter how much up-front risk analysis you do on your components, you cannot de-risk the fact that our tool vendors STILL have no accountability for tools that simply do not deliver.

So, for now, it’s our problem. And the only way we are going to reduce these types of risks is with a triumvirate of Trained People, using endemic processes assisted by aligned Technology to  Identify, Protect, Detect, Respond and Recover from these highly damaging events.

Help Make a #CyberChange and HOLD Vendors Accountable

If you agree with me and what to make a change, I encourage you to read The Circle of Failure – Why the Cyber Security Industry Doesn’t Work. It sheds light on not only how vendors are failing to secure products but offers checklists on how you can make a change. Firstly, by DEMANDING more from your security vendors.

Written by: Jack Worsfold

Risk Crew