The MOVEit mass hacks will likely go down in history as one of the largest and most successful cyberattacks of all time.
By exploiting a vulnerability in Progress Software’s MOVEit managed file transfer service, used by thousands of organizations to securely transfer large amounts of often-sensitive files, hackers were able to inject SQL commands and access customers’ sensitive data. The attack exploited a zero-day vulnerability, which meant Progress was unaware of the flaw and did not have time to patch it in time, leaving its customers largely defenseless.
The Russia-linked Clop ransomware group, which claimed responsibility for the hacks, has been publicly listing alleged victims since June 14. This growing list includes banks, hospitals, hotels, energy giants and more, and is part of an attempt to pressure victims into paying a ransom demand to stop their data from spilling online. In a post this week, Clop said that on August 15, it would leak the “secrets and data” of all MOVEit victims that refused to negotiate.
This wasn’t Clop’s first mass hack, either; the group has been blamed for similar hacks targeting Fortra and Acellion’s file-transfer tools.
According to Emsisoft’s latest statistics, the MOVEit hack has affected at least 620 known corporates and more than 40 million individuals. Those figures have increased almost daily since the hacks began.
But how high could the numbers go? “It’s impossible to assess at this point,” Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch+. “We don’t yet know how many organizations were impacted or what data was compromised.”
Callow pointed out that around a third of the known victims were impacted via third parties, and others were compromised via subcontractors, contractors or vendors. “This complexity means it’s highly likely that some organizations that have been impacted don’t yet know they’ve been impacted,” he said.
While the impact of this hack is unusual because of its scale, the attack isn’t new in terms of its approach. Adversaries have long exploited zero-day flaws, and supply chain attacks have grown prevalent in recent years because one exploit can potentially affect hundreds, if not thousands, of customers.
This means that organizations need to act now to ensure they don’t fall victim to the next mass hack.
Picking up the pieces
For victims of the hacks, it may seem like the damage has already been done and recovery is impossible. But while recovering from an incident like this can take months or years, affected organizations need to act fast to understand not only what types of data were compromised, but also their potential violations of compliance standards or data privacy laws.
Kristina Balaam, a threat intelligence researcher at Lookout, recommends that victims follow Progress’ guidance right away and ensure all MOVEit instances have been updated to the latest versions that have patched the exploitable vulnerabilities. Next, victims need to figure out what data was compromised.
“Taking stock of potentially exposed data can be difficult, especially if an organization lacks visibility into where data lives and which files may contain more sensitive data than others,” said Balaam. “Since many of the victims were in highly regulated industries such as banking, healthcare and government, they need to be able to understand which data could have been compromised for the sake of their standing with industry-level compliance standards.”
Katherine Mansted, executive director of cyber intelligence at CyberCX, said organizations must ensure they are approaching recovery not just as a technical process but as a human one too.
“It involves understanding what’s been stolen and acting to minimize the harm to those affected — customers, employees, supply chain partners and more,” Mansted said. “As with all data breaches, that harm will have a very long tail — months, if not years.”
Whatever an organization’s approach, it is likely to be costly, according to Callow. “The costs will be absolutely massive — forensics, regulatory filings, identity protection, class actions, etc. And the question of who is responsible for picking up the tab will no doubt be one that ends up before the courts,” he said.
What’s next?
An organization can do little to prevent a breach at a third party, particularly when zero-day vulnerabilities are exploited and the vendor doesn’t even know if their product is flawed. But there are a number of security practices that can and should be followed, such as doing regular security audits and risk assessments.
Anna Chung, principal threat analyst at Palo Alto Networks’ Unit 42 threat intelligence team, feels that AI tools could be crucial in helping companies defend against the next mass hack.
“From a tooling perspective, organizations should prioritize effective approaches at scale to better defend themselves,” she said. “First is behavior analysis endpoint protection — AI-empowered technology allows security systems to detect abnormal behaviors and give attackers very limited windows to exploit the victim systems. Second, using powerful tools, like attack surface management and vulnerability monitoring, to understand what attackers can see about your organization.”
Tim Brown, the chief information security officer at SolarWinds, has witnessed firsthand the impact of a high-profile cyberattack. Brown says that to protect against the next mass hack, organizations need to collaborate and share insights. “Our digital adversaries collaborate well; they have no problem sharing,” he told TechCrunch+.
“We need to promote transparent and open information-sharing within the industry to combat sophisticated actors from carrying out cyberattacks,” Brown said. “Private companies and the government must form a two-way partnership and work together.”
Secure-by-design initiatives, such as CISA’s principles that urge product makers to bake in security early in the development process, could play an important role in helping organizations thwart similar attacks in the future.
Callow feels it’s only a matter of time before we see another attack of this scale if we can’t improve security practices. “There’s no easy way for organizations to protect themselves from incidents such as this — zero-days are hard to defend against — or to ensure that incidents like this do not happen in the future,” he said.
“Secure-by-design initiatives will, however, play a critical role, as, ultimately, we need platforms to be more secure than they are today.”