Blogs
The MOVEit hack and what it taught us about application security
Published
1 year agoon
By
GFiuui45fgWhen a cyberattack like the 2023 MOVEit hack makes global news headlines, attention often focuses on the names of the affected organizations, or the number of people impacted. While this spotlight is understandable, properly analyzing what happened in an attack like MOVEit is useful for developing concrete cybersecurity steps to prevent similar incidents from hitting organizations.
This article overviews the Moveit hack and aims to draw some important actionable takeaways for your business.
What was the MOVEit Hack?
On June 6th, 2023, the notorious Russian-affiliated ransomware group, Clop, claimed responsibility for an attack that targeted Progress Software’s MOVEit transfer tool.
This corporate file-sharing solution has an extensive customer base in the United States. Organizations use MOVEit for secure file transfers; it’s essentially a more jazzed-up, professional version of popular file-sharing tools like Dropbox.
In May 2023, cybercriminals at Clop uncovered a previously unknown vulnerability in MOVEit, which they began exploiting. Up to 130 organizations suffered from downstream impacts when the vulnerability in MOVEit enabled Clop hackers to gain access to their IT environment and steal sensitive data.
The MOVEit hack was not the same as classic ransomware attacks for which groups like Clop initially gained notoriety. There was scant evidence of systems being locked down and made inaccessible by threat actors installing their .clop ransomware file.
Instead, further exemplifying the value today’s hackers place on data, the attack saw personal information belonging to roughly 16 million people being compromised and exfiltrated from systems.
There are many ways that the Clop hackers could use this data or profit from it. The most obvious is the extortion tactic that ransomware gangs have shifted towards in recent years.
Instead of locking down systems and demanding ransoms, hackers steal sensitive data and threaten to publish it online if companies don’t pay up. They could also sell the data on shady dark web marketplaces where other cybercriminals can use it to conduct scams and fraud.
How Did the Attack Happen?
Delving further into the MOVEit attack uncovers some additional useful information about the tactics and causes. First, this was a clear case of the growing software supply chain security risks that companies face.
Many businesses rely on third parties to provide useful software and code as elements of the supply chain for their own services or apps, but this reliance also means potential access to the data and other resources on their networks via vulnerabilities in the software supply chain.
Another important aspect to consider is that the vulnerability exploited by Clop in MOVEit software was a zero-day. Cyber gangs prize these vulnerabilities so highly because the vendor has not had time (zero days) to fix them.
Emerging digital forensic analysis from the aftermath of MOVEit suggests the hackers knew about the zero-day flaw in MOVEit as far back as 2021 when they tested it out covertly to see how much access they could get.
The vulnerability was related to SQL injection; a common entry point into applications. These types of software code weaknesses enable data manipulation or database access. The MOVEit hack progressed from manually testing the SQL injection flaw to exploiting large numbers of organizations with it in an automated way.
The actual hack worked by exploiting the SQL vulnerability to install a backdoor in MOVEit that facilitated data downloads from organizations using the file transfer solution. Clop gang members then set a deadline of June 14 for companies to pay up if they wanted to avoid having stolen personal information about customers or employees published online.
Impacts of the MOVEit Attack
Aside from the millions of people that had their private data compromised, many of whom were employees at the affected organizations, looking at some of the companies hit by this supply chain incident says a lot about the far-reaching impacts of modern advanced cyberattack campaigns.
Zellis
A popular payroll provider used by dozens of large companies, the fact that Zellis got breached through the MOVEit flaw meant that this supply chain incident spread to some of Zellis’ clients. This shows the cascading impact of software supply chain breaches.
BBC
The world’s media took swift note of the MOVEit hack when it emerged the UK’s state broadcaster was one of the victims. It appears the BBC was one of the organizations to suffer because of Zellis being hit by the breach. Pharmacy company Boots and airliner British Airways also got hit.
Norton LifeLock
Renowned for its identity theft protection solution and antivirus tools, it was somewhat ironic that Norton suffered from data loss because of this attack. Statements then emerged that employee data was stolen from internal systems.
Tips to Prevent Similar Future Incidents
Map your supply chain
By mapping the software supply chain, you glean a better understanding of where your software is coming from, which components are being used, and who the suppliers are. This is a similar concept to a physical supply chain; the commonality of relying on open-source projects and third-party libraries, frameworks, and apps necessitates thorough transparency and visibility. This allows you to identify and understand potential weak points in the chain (e.g. open-source projects with few updates) that could be exploited by attackers.
Strengthen third-party risk management
A strategic improvement in your third-party risk management (TPRM) strategy reaps benefits for securing your network against supply chain attacks. Consider strengthening what you demand of the parties that contribute either code or apps to the functioning of your business. Exercise greater due diligence over open-source projects, ask vendors to comply with cybersecurity frameworks and perhaps demand to see evidence of at least an annual pen test before you agree for a third-party software vendor to get access to your network environment.
Move towards zero trust
Zero Trust architecture is a security model that dictates no user, system, or service operating within a network’s secure perimeter gets automatically trusted. Instead, authentication must be continually verified based on context and risk factors. Several tenets of zero trust strengthen resilience against supply chain hacks:
- Zero Trust architectures implement least privilege access by default. If a hacker manages to access your environment via vulnerable third-party code or apps, the least privilege access model limits what they can do.
- A crucial part of the Zero Trust model is dividing your network into smaller, isolated segments (microsegments). If a hacker exploits a vulnerable software component, they will likely only have access to that specific network microsegment.
- Zero Trust architectures require continuous verification of identities and permissions. Any unusual behaviour, such as attempts by apps to access resources not typically needed can trigger alarms and automatic protective responses. This could contain the blast radius of a software supply chain breach.
While no system completely prevents software supply chain attacks, implementing zero trust architecture greatly reduces the potential impact of breaches by limiting an attacker’s access and capabilities.
Pen test apps
After hitting over 100 companies by exploiting the zero-day flaw, further evidence emerged of different, unrelated weaknesses in MOVEIt’s code that opened other potential paths for exploitation.
Perhaps the most important thing MOVEit’s IT and development teams overlooked in preventing this incident was the value of thoroughly pen testing its code. In a pen test engagement, skilled ethical hackers scour and probe for exactly the type of SQL injection weaknesses that Clop detected and exploited.
Opt for Continuous Penetration Testing
Sporadic or infrequent penetration testing won’t suffice to secure your network or apps from incidents like the MOVEit hack.
Modern development practices like DevOps call for adding new features to apps regularly, which could introduce security weaknesses. Cybercriminals constantly probe web apps to come up with new ways to break into them.
Organizations traditionally perform pen testing as a point-in-time exercise.
The problem is that the speed of change in both web apps and the threat landscape quickly outdates the results of these tests. Furthermore, organizations tend to treat pen testing as a compliance box to tick rather than something they do on an ongoing basis.
Penetration testing as a service (PTaaS) shifts companies away from the outdated testing model towards a combination of real-time automated scanning and more regular manual testing.
Outpost24’s SWAT is an innovative PTaaS solution available via a SaaS portal. With SWAT, you get continuous monitoring of internet-facing web applications to more rapidly detect and remediate new software vulnerabilities with zero false positives.
Alongside this continuous automated testing, SWAT also arms you with a team of highly skilled and experienced pen testers to conduct manual testing at any customized frequency or based on any other needs.
A Multi-Pronged Approach
Combating advanced hacks like the MOVEit attack calls for a multi-pronged approach and a need tore-think certain elements of your cybersecurity strategy.
Move towards zero trust, try to get more visibility into your supply chain, and opt for continuous pen testing that catches code vulnerabilities faster than traditional manual approaches.
Outpost24’s SWAT PTaaS platform helps you find all potential weaknesses in a modern web app ecosystem, from the underlying code to third-party libraries to API flaws.