It has been several weeks since the MOVEit vulnerability began making headlines, but the span of organizations and governmental entities being affected by related data breaches have continued to grow.
In early June, organizations from around the world, including the BBC and British Airways, have reportedly been warned by a cybercrime group that stolen data will be published if demands weren’t met. More recently, the Office of Motor Vehicles (OMV) in Louisiana suffered a MOVEit data breach. The Louisiana OMV is one of a still undetermined number of government entities, major businesses and organizations to be affected by the MOVEit data breach.
According to reports, the global cyberattack exploits a vulnerability in MOVEit, a widely-used third-party data transfer service used to send large files.
"No one is immune to the growing threats that cybercriminals pose to individuals, communities and our nation, so it comes as no surprise that bad actors pounced on the opportunity to take advantage of the critically serious MOVEit vulnerability that has already impacted businesses, hospitals and educational institutions," said Darren Guccione, CEO and Co-Founder at Keeper Security. "The severity and ramifications of this attack on multiple agencies within the U.S. federal government remain to be seen but raise serious concerns about the potential compromise of sensitive information and data loss potentially impacting national security."
Earlier this month the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) published a joint Cybersecurity Advisory (CSA) with recommended actions and mitigations to protect against and reduce the impact from CL0P Ransomware Gang exploiting MOVEit vulnerability.
CL0P has reportedly claimed credit for some of the data breaches including the BBC, British Airways, Shell and state government agencies.
Security leaders weigh in
Mike Parkin, Senior Technical Engineer at Vulcan Cyber:
“It's no surprise that CISA is working with the organizations that follow their mandates to address the MOVEit exploits. While they have, understandably, not been open about how widespread the attacks have been on government organizations, or how much damage has resulted from the attacks, they are being proactive. Fortunately patches already exist and indications of compromise (IoC) are easy to detect, though it's apparent that not everyone deployed the patches in time. The attacks have been attributed to the CL0P ransomware group, which is usually regarded as a cybercriminal group, but it's entirely possible that there are geopolitical motivations behind this as well.
“As with any vulnerability that's being exploited in the wild, vulnerable organizations should patch as soon as possible and deploy compensating controls immediately. On another level, even if an organization isn't required to follow CISA guidance it's still a good idea to do so. Their recommendations are sound and usually timely. Separately, with regards to file transfer systems, it may be worth considering additional levels of encryption for files at rest. Encrypted files remain secure even if they're exfiltrated, reducing the damage from a breach if one occurs.”
Nick Rago, Field CTO at Salt Security:
“The CL0P group has been known since 2019, when it launched a large-scale spear-phishing campaign, using ransomware to steal and encrypt victim data and refuse to restore access until fully paid. The group typically targets sizable corporations.
“It is a good reminder that many digital supply chains designed and deployed by organizations leverage third party open source or commercial software packages and applications. Those third party software deployed in your environments are susceptible to the same attacks as in house developed applications, and they should be protected with the same edge and runtime security technologies as you would in house developed apps.”
Andrew Barratt, Vice President at Coalfire:
“This breach demonstrates the further need for agencies to embrace the FedRAMP mandate, and ensure that they're continuously monitoring their critical systems and vendors. As cyberattacks can be executed in various ways, sometimes with vague motives, it always clear if attacks are directly targeted or part of the broader wholesale 'access for sale' market. The impact of this could be twofold, if this turns out to be nation state activity then reciprocal action may be taken further heightening hostilities. However, if this is criminal activity it's important for the agencies concerned to look at how their systems could be monetized and start to take steps to monitor the outflow of data and dollars.”
Darren Guccione, CEO and Co-Founder at Keeper Security:
"As federal agencies and their hardworking cyber teams rush to address this spate of attacks, the news should serve as a clarion call to every organization that this serious zero-day vulnerability must be remediated immediately. All organizations must take a proactive approach to regularly update software and immediately patch vulnerabilities that are being actively exploited in the wild. The first step for administrators utilizing MFT should be to patch the vulnerability or take the service offline until it can be patched, especially now that the vulnerability is public knowledge. While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations.
"The most effective method for minimizing sprawl in the event that an attack does occur is by investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor’s access. As a FedRAMP Authorized cybersecurity vendor, Keeper Security is aware of the stringent requirements software must adhere to in order to be pre-vetted for use by operations with government funding. We meet that standard, not only with the solutions we market to those organizations, but also with the solutions that are used in our customers’ private businesses and personal lives."
James McQuiggan, Security Awareness Advocate at KnowBe4:
"This data breach can impact the users as so much of their data was stolen. While it may not have shown up yet, now that it has been reported, the cybercriminals will most likely go through and sell off the data or try to use it for targeted social engineering attacks. People with sensitive information stolen will want to act quickly to protect themselves from identity theft and social engineering attacks. The stolen personal data can be used maliciously; therefore, taking immediate steps to control the damage and prevent further harm is essential. They will undoubtedly want to monitor their financial accounts for suspicious transactions, checking with the credit bureaus to prevent identity thieves from opening new accounts or obtaining credit in their name. People must stay vigilant against phishing scams, social media engineering and cyberattacks. Keeping an eye out for suspicious emails, text messages or phone calls from unknown sources and never clicking on any link or attachment are just some of the steps they should be taking or need to take."