Pre and Post Breach Insights From the MOVEit Incident – Strengthening Cyber Posture
In 1972, Edward Norton Lorenz, a mathematician and meteorologist, introduced the world to the Butterfly Effect, giving birth to the science of chaos theory. The “Butterfly Effect” rests on the notion that the world is so interconnected today, that a one-time small occurrence can have a major impact on a larger more complex system. He illustrated this with the metaphorical example of a butterfly flapping its wings possibly leading to a tornado elsewhere. This notion is frequently invoked to explain how seemingly insignificant events in someone’s life can lead to transformative outcomes.
The Ripple Effect of MOVEit
In late May of 2023, the world witnessed the chaos that the mere exploitation of a simple file transfer software application called MOVEit can garner. MOVEit is a managed file transfer (MFT) software application that provides organizations with an automated and secure way to transfer sensitive data between partners, customers, users, and systems. A Russian ransomware group took advantage of the discovered exploit within this application that the majority of the world was unfamiliar with to begin implementing supply chain breaches across the interconnected digital world. The ripple effect of this butterfly like event toppled over some mighty big dominoes including Shell Oil, Proctor & Gamble, Siemens, Hitachi, British Airways, the BBC, The New York Department of Education, and the U.S. Department of Energy, exemplifying that indeed the bigger they are, the harder they can fall.
For some, the MOVEit exploit incident probably offered flashbacks to the infamous SolarWinds attack that was unveiled in December of 2020. In the SolarWinds incident, attackers managed to infiltrate SolarWinds’ software update system to inject malicious code into their Orion software suite. The code was then inadvertently sent to approximately 18,000 clients, establishing a backdoor into those organizations that allowed the attackers to establish command & control access. Given SolarWinds’ extensive clientele and prominence, the vast repercussions of such an assault are clear to postulate. But while MOVEit is popular within its product niche, the realization that a vulnerability in such a specialized file transfer tool could wreak so much havoc is indeed a tough realization for many.
What Was Behind the MOVEit Attack
The MOVEit incident might be remembered as one of the most devastating zero-day exploitations, with its repercussions echoing worldwide for nearly three months, affecting more than 1,000 organizations and as many as 60 million individuals. The vulnerability came to light on June 1, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to advise all MOVEit clients to check for indications of unauthorized access and install the software patch released by the maker of the software, Ipswitch, Inc, to address the issue. Unfortunately, that warning came too late as the Russian ransomware group (CLOP) had been exploiting the vulnerability since May 27. Known now as CVE-2023-3462, this SQL injection vulnerability permitted malefactors to embed a web shell into MOVEit, facilitating unauthorized data extraction from its transfer databases. CLOP began demanding pay from large corporate and government institutions under the threat of publicizing the compromised data seized from them.
The Scale of Supply Chain Attacks
The MOVEit incident underscores the immense cybersecurity challenges organizations grapple with today. While adversaries only need to find a single point of weakness, defenders have the monumental task of safeguarding every link in the chain. This situation challenges the traditional belief in military strategy that the defender has the advantage as an attacking force requires a local advantage of at least 3:1 in combat power to break through a defender’s front at a specific point. As evident from recent events, it is growing all too clear that businesses need to increase their resilience to attack using multiple tools and sources such as the MITRE Framework or third-party security operations centers to improve their resiliency against such attacks through a more proactive strategy.
Taking Control of Security
Although the MOVEit attack affected a vast number of organizations, the impact wasn’t uniform across the board. Those organizations equipped with the right tools, people, and processes in place prior to the attack faired better than those who did not. What’s more, whatever exposure they had to the attack is being investigated and studied to understand how to prevent similar attacks next time, and that next time could happen within days as right now, another exploitable vulnerability has now been identified in yet another file transfer application.
Taking control of your own security implies not depending solely on your software providers. Organizations need to properly vet their vendors before forging agreements or partnerships. That means not being timid about inquiring about their security profile or requesting proof of their cybersecurity efforts such as recent security audits or penetration tests if applicable.
A Multi-Layer Resilient Approach
Guarding every link in the chain is challenging, and assuming complete invulnerability is simply unrealistic. Data needs to be protected before and after a breach. That means having a multi-layer security strategy to defend against an attack and a cybersecurity recovery strategy to protect your data after an attack. That means increasing the resiliency of your business so that recovery can take place as quickly as possible. That recovery process includes a thorough investigation into the extent of a breach incident to determine what worked, what systems were compromised if any, and how to mitigate further damage. Such a comprehensive process demands expertise that many companies may lack internally, leading many to turn to third-party managed Security Operations Centers (SOCs) to spearhead detection, mitigation, and recovery efforts.
Conclusion
Much like a sea captain navigating through unpredictable waters, constantly adjusting to varying winds and tides, cybersecurity professionals must tackle an ever-evolving landscape of threats. As one vulnerability closes, another emerges in its wake. With every neutralized threat, adversaries innovate with fresh tactics. It is a game with no end and because there is always something new to learn, class is always in session. The question is, will your organization be ready for the next incident.