MOVEit hack: what is it and why is it important?
The exploitation of the MOVEit Transfer vulnerability by the CLOP ransomware group and the ever-expanding list of victims has raised concerns about how we protect ICT supply chains. We look at what happened and what we’ve learned.
A string of disclosures
On 31 May, Progress Software Corporation disclosed that its managed file transfer (MFT) software, MOVEit Transfer, is susceptible to a critical SQL injection vulnerability, which allows unauthenticated attackers to acquire access to MOVEit Transfer databases.
On 2 June, the vulnerability received the designation CVE-2023-34362. CVE stands for Common Vulnerabilities and Exposures ID number, which is assigned for publicly disclosed vulnerabilities. Once a CVE is assigned, vendors, industry and cybersecurity researchers can exchange information to develop remediation.
On 9 July, Progress announced additional vulnerabilities (CVE-2023-35036), which were identified during code reviews. The company also released a patch for new vulnerabilities. On 15 June, a 3rd vulnerability was announced (CVE-2023-35708).
Threat actors have attacked more than 162 known victims, including the BBC, Ofcom, British Airways, Ernst and Young, Siemens Energy, Schneider Electric, UCLA, AbbVie, and several government agencies with these zero-day vulnerabilities. Sources also report the compromise of the personal data of more than 15.5 million individuals.
Behind the attack
Microsoft attributed the MOVEit hack to Lace Tempest, a threat actor known for ransomware attacks and for running the extortion website of the CLOP ransomware group, data theft, and extortion attacks. On 6 June, the CLOP ransomware gang posted a communication to their leak site demanding that victims contact them before 14 June to negotiate extortion fees for deleting stolen data.
The identity and whereabouts of the CLOP gang remain unknown to the public. However, security researchers believe the group is either linked to Russia or comprises Russian-speaking individuals.
Supply chain security flaws
The MOVEit hack has again highlighted that supply chain security is a significant concern for industries and the public sector. Across the supply chains, who is responsible for what? And how can we ensure cross-sectoral and cross-border cooperation between multiple actors that mitigate security risks?
While national cybersecurity agencies continue publishing guidance on mapping and securing supply chains, the industry implements good practices for reducing vulnerabilities and building secure ICT infrastructures. Still, organisations have different levels of maturity and resources to respond effectively. Luckily, there are ongoing discussions at different levels to address these topics: from international levels to advance the implementation of the relevant UN GGE norms to reduce vulnerabilities and secure supply chains, such as the Geneva Dialogue, to national and industry-specific discussions to develop and adopt new security measures (e.g. SBOM).
Another challenge lies in conducting effective investigations, with the participation of several states and/or private partners, to identify a threat actor and stop the activity.