MOVEit Hack: What went wrong, and how to course correct
What the MOVEit Breach Tells Us About the Challenges of Patching
On May 31, 2023, little-known software developer Progress Software published details of a critical vulnerability in MOVEit Transfer, a popular managed file transfer service. It soon transpired that notorious threat group Cl0p had exploited the zero-day bug to steal sensitive data from countless customers. The astonishing victim count now stands at over 2,500 organizations and almost 68 million individuals.
Some, but not all, of these organizations were compromised before a patch became available. Others were ultimately impacted because they were not able to patch quickly enough. This speaks volumes about the persistent challenges IT teams have in prioritizing security patches and finding and updating all their critical assets once patches become available.
To get back on the front foot, they need enhanced visibility, and they need better business context.
What Happened?
Cl0p began exploiting the zero-day vulnerability in MOVEit Transfer on May 27. Progress Software had warned the SQL injection flaw could “lead to escalated privileges and potential unauthorized access to the environment.” This is exactly what happened, as Cl0p exploited the vulnerability to deploy web shells in customer environments and then exfiltrate large volumes of data.
What followed was a classic extortion campaign, with victim organizations subsequently pressured into paying a ransom to avoid their data being published on a dedicated leak site. It’s claimed Cl0p could make as much as $100m from this campaign alone.
Victims ranged from state and local government bodies to large multinationals and managed service providers. An overwhelming number were based in the United States (78%), with education (41%), health (19%), and financial/professional services (12%) the most impacted sectors.
Could the huge financial and reputational damage inflicted on the victim organizations have been prevented? Progress Software promptly released a patch for the zero-day. And its message to customers on May 31 was unequivocal:
“It is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment.”
Yet the developer also revealed that the vulnerability was exploited in the wild “in May and June 2023.” This means the Cl0p group continued to take advantage of unpatched deployments after the original security update was published.
A Long Tail of MoveIT Victims
The victim count continues to grow months later, although most of these victims were likely breached in the first few days and weeks of the campaign. The sheer variety of names below highlights the universal challenge of prompt patching. Among the most notable are:
- BORN Ontario, which said data on 3.4 million locals over a 10-year period was compromised.
- French unemployment agency Pôle Emploi (10 million individuals impacted)
- Louisiana Office of Motor Vehicles (six million)
- Colorado Department of Health Care Policy and Financing (four million)
- Oregon Department of Transportation (3.5 million)
The impact on organizations and end users was amplified by the fact that many upstream supply chain providers were compromised. These include:
- US government outsourcer Maximus (11 million)
- The National Student Clearinghouse (900 schools)
- Payroll provider Zellis, whose clients included the BBC, British Airways and Boots
What’s the Problem with Patching?
So, why couldn’t many of these organizations follow Progress Software’s guidance promptly to avoid being caught up in the Cl0p campaign? The challenges they experienced in the aftermath of its security advisory are nothing new. They stem from dynamic and distributed endpoint IT environments, surging volumes of new vulnerabilities and ineffective tools.
Take the IT environment. Today’s organizations might manage tens or even hundreds of thousands of endpoints, distributed across traditional on-premises networks and multiple cloud environments—including in employees’ homes. These could range from traditional desktop and laptop computers to virtual machines and cloud containers. The latter are in constant flux, creating a volatile and ephemeral environment that can only be managed with automated tooling.
Next, consider the growth in new CVEs that security teams must contend with. The number of new vulnerabilities published by the US government in 2022 increased by a quarter year-on-year to hit 25,096, a new all-time high. This was the sixth year in a row to hit record numbers. The rise can be traced to increased activity from threat groups, gray-market commercial spyware makers and ethical hackers.
These two factors make it extremely challenging for many organizations to work out which patches/CVEs and which systems to address first. But their task is made harder still because many are laboring with inadequate vulnerability management tools. They have two key drawbacks:
- Most do not map or cover the entire endpoint fleet. They may miss critical cloud assets, for example.
- Most can’t provide the context of a CVE beyond its CVSS score. This means organizations can’t take a risk-based approach to patching aligned with their risk appetite. It can lead to wasted time and resources prioritizing the wrong patches, whilst unwittingly exposing the organization to critical threats.
How CAASM Can Help to Prioritize and Remediate
Organizations need a more intelligent way to respond. This is where Cyber Asset Attack Surface Management (CAASM) comes in, by mapping the entire attack surface to support better informed vulnerability remediation decisions.
Noetic’s CAASM solution goes even further by:
- Providing a comprehensive view of all assets in the organization, by integrating with a wide range of IT and security tools including public clouds, vulnerability scanners, configuration management databases (CMDB), and endpoint detection and response (EDR) tools.
- Building and displaying a multi-dimensional map of all these assets and the cyber relationships between them, enabling teams to spot critical gaps in their scanning capability.
- Continuously discovering new assets, recently disappeared assets and the relationships between assets. From this data Noetic builds temporal graphs which map typical threat actor pathways to new vulnerabilities. This in turn provides intelligence to predict which asset need patching first.
- Mapping technical data alongside business context, such as the location or business unit related to an asset or application. This enables customers to prioritize assets according to specific business risk.
Over half of the top 12 most popular vulnerabilities exploited in 2022 were first disclosed and patched by vendors more than a year previously. Organizations need a combination of comprehensive coverage, intelligent mapping, and business context to make vulnerability management fit for purpose again.