The information in this post is based on the details of the attack as known on the 7th June 2023.
The recently announced MOVEit Transfer vulnerability is a great example (perhaps not, if you are impacted by it) of cyber security attack trends coming together as an extremely effective and damaging exploit. The BBC, British Airways and Boots were amongst the victims here in the UK (according to The Register) with Data including Staff ID numbers, dates of birth, home addresses and national insurance numbers being stolen.
The reason this caught my attention was because of two recent research projects here at GigaOm, anti-phishing and data loss prevention. In discussions with these vendors, there were several trends that they identified that were used to attack organizations and individuals. This attack used three of the most prevalent, which we review below.
What happened?
For those not familiar with the attack, it stemmed from a vulnerability in Progress Software’s MOVEit document transfer application: this contained a SQL-Injection vulnerability which could “lead to escalated privileges and potential unauthorized access to the environment”. The attack has allowed nefarious actors, in this case, the Russian cyber-criminal group Clop, to use those privileges to exfiltrate data from its targets.
To do this, the attack took advantage of three cyber threat trends.
Supply chain attack: None of those named was breached because of their own security failure per se. In fact, they were not MOVEit customers even, instead, it was supplied to them as part of a third-party solution. In the case of those referenced here, a payroll provider who used MOVEit to transfer secure and sensitive data.
The long game: Reports suggest that the exploit has been known about by attackers since early March. During that time, they monitored for use of and deployment of the MOVEit application, using that time to craft an attack. This long-term approach is increasingly common. Attackers are using tools like machine learning (not necessarily the case here) to monitor potential victims’ activities and build more specific and effective attacks – this is particularly prevalent in phishing attacks. Even here, they were prepared to scan at scale, looking for usage of this application to then target its victims.
Steal not (only) encrypt: While ransomware has been at the forefront of attacks in recent years, the shift towards data theft (potentially with encryption) is accelerating. Why? Because increasingly, organizations are better prepared to deal with ransomware and therefore less likely to pay the ransom. So the criminal has moved on, targeting high-value data that it can sell to other bad actors. Whether they then ransom the victims or encrypt the data to force a ransom is becoming secondary.
What does all this mean?
This is a good example of both the complexity and ever-changing nature of the threat. Cybercriminals are always looking to gain an advantage and find a new attack vector that can be exploited, and staying ahead of this is difficult for organizations.
While there is no magic bullet that can help every time, here are some general principles that you can follow, and discuss with your cybersecurity vendors and partners.
Zero Day Threats: How do you spot attacks that have never been seen before, where there are no known signs of it? This is a significant challenge, but one that vendors have invested in heavily. The use of AI/ML enables providers to more proactively identify threats. As shown here, attacks don’t happen overnight, major ones are planned in advance. So, if you know where you are looking, you can often spot indicators of an attack, long before they become weaponised.
Unusual Activity: The predictive approach is not the only one. You don’t have to know what you are looking for, equally valuable is knowing what you are not looking for, for example with systems that can identify unusual activity across your environment or those that apply a zero-trust approach to access control. Anomalous behavior by users, unexpected network and device activity, and systems connecting to unusual systems, are likely signs of malicious activity.
React quickly: Speed is of the essence in attacks like this. This is driving the growing prevalence of eXtended Detection and Response (XDR) solutions which can quickly spot unusual and malicious behaviour, and then rapidly mitigate threats. This is also driving the expansion of its managed equivalent, MDR. Here, providers’ analyst teams are managing customer implementations and offer SLAs from detection to mitigation, in around 30 minutes. While this won’t stop all the impact, it will certainly restrict it.
Supply chains: At the heart of this breach is the technology supply chain. This is a significant headache for businesses: it is hard enough securing your own environment, without having to worry about all of your supplier’s infrastructure too. But the reality is that you have to, at least currently. Vendor solutions responding to this, especially in the anti-phishing space, are now proactively evaluating supply chains, looking at communications and interactions, to identify suppliers, and use external threat scoring to highlight risks.
Secure your data: The usual target of an attack is your data. It is therefore essential to be data centric in your security approach. Build data security into your applications, databases, and individual files, so even if information is compromised you can maintain security and control outside the walls of your infrastructure.
Have a Cyber Resilience Plan: This attack shows that for many, it doesn’t matter how well prepared we are: a cyber incident is a matter of when, not if. Therefore, having a plan on how to deal with it, from communication to infrastructure recovery, is essential. While many have business resilience plans, having something focussed on the specifics of cyber incidents should be in the armoury of any organization.
The problems highlighted by this attack are not going to go away: threats posed by supply chain attack and the exfiltration of data will continue to evolve.
It is essential therefore, that you prepare yourself. Ensure your security tools are proactive and use analytics and threat intelligence effectively. Have solutions that can spot unusual activity and mitigate it and look at how you can build security into, not only your infrastructure, but your information itself. Oh and don’t forget Progress Software have patched this vulnerability so if you haven’t, what are you waiting for?