8 Weeks Later: Lessons Learned from the MOVEit Vulnerability

The MOVEit vulnerability has been all over the news cycle for months, and as new victims come forward, it will stay there. MOVEit is proving just how vulnerable and complicated the modern digitalized organizational networks are, so we must assess the damage and discover what we can learn from it. Traditional security measures still work, but unfortunately, too many companies only have enough security measures to ensure compliance. One thing is sure—this newest zero-day exploit has taught us that cyber resilience is more imperative than ever.

In this blog, we’ll walk you through MOVEit, how it’s being exploited, and how your organization can protect against it.

MOVEit Vulnerability: A Brief Background

MOVEit is a popular file transfer software application owned by Progress. In May of this year, Russian hacking group Cl0p came forward to state that they had infiltrated the software through an SQL injection, which means that the developers neglected to query backend databases properly. This exploit is insidious because hackers can exploit it without logging into a system.

While the MOVEit vulnerability was caught quickly and patches issued immediately, MOVEit, may be one of the most significant cyberattacks ever. After the Progress Software discovered the initial vulnerability, they then announced three more new security updates to patch vulnerabilities. The worst of these vulnerabilities, CVE-2023-36934, could allow an attacker to gain unauthorized access to the application database. In layman’s terms, that means that threat actors can exploit the MOVEit vulnerability and get access to vast amounts of sensitive data. Since some of the victims are banks, government agencies, and power companies, the ramifications of this could be severe.

The MOVEit vulnerability has hit over 300 organizations and touched data affecting more than 17 million people. The extensive list of victims includes the BBC, U.K. retailer Boots, the Departments of Motor Vehicles of Louisiana and Oregon, the New York City Department of Education, governmental departments throughout Nova Scotia, Schneider Electric, and Deutsche Bank.

Incident Response Capabilities: Where Companies Go Wrong

Organizations remain vulnerable to cyberattacks even after years of investments to improve security posture. The question is, are your existing cybersecurity practices optimized to prevent zero-day attacks? 

We sat down with Marian Reed, the Vice President of our GRC team, Joaquin Paredes, the Director of our OffSec team, and Andrew Stevens, the Security Operations Manager of our Threat Intelligence Group, to get their thoughts on the MOVEit vulnerability and how companies can protect themselves and protect further attacks in the future.

While no security program can prevent 100% of attacks, common security issues consistently arise and allow hackers to compromise systems and software. 

• Insufficient preparation
• Not conducting scans for known vulnerabilities
• Poor management practices
• Poor supply chain visibility
• Neglected security and compliance

Bolster Your Defenses: Actionable Tips from VerSprite

To borrow a good-sense motto from the Boy Scouts, the best defense is preparation. Here’s what our team had to say about preventing zero-day attacks.

1. Perform a risk assessment to understand your risks

Marian highlighted the importance of performing a risk assessment.

Marian states, “First and foremost, companies need to understand what the actual risk is to them. When we do assessments with companies or vendor risk assessments, we look at both vulnerability management and patch management. It’s important that companies run vulnerability management scans. We see it all the time in companies that don’t even know that they’ve been impacted [by something].” 

Consequently, this means that you need to understand which types of risks have the highest impact on your business. VerSprite can help you build a security program where your goals and metrics are customized to your needs.  Then you can build greater security around the areas where it will have the most impact.

2. Conduct Regular Scans

This should be a no-brainer, but keeping up with your vulnerability management is critical.

Andrew Stevens states, “This attack is indicative of a supply chain attack, where they are not targeting your company directly; they are targeting the product or service you’re using. This means that they can hit a wide breadth of targets. You need to be very aware of your vendors to prevent future attacks. Keep a close eye on what they’re publishing and stay updated on your patching.”

The MOVEit vulnerability is a sobering reminder of how crucial third-party risk management and proactive cybersecurity measures are. The MOVEit incident clearly showed how pervasive the risks of a single vulnerability are in third-party enterprise software. It has highlighted the necessity of regular scanning and proactive cybersecurity measures.

Our Threat Vulnerability Management services can help you set up regular scanning so that you can see if your organization has been affected. Then, you can perform a pen test to discover the impact of a vulnerability.

Basically, It’s a simple matter of getting the basics of security on point. And while it’s unfortunate to get hit with zero-day vulnerabilities, it’s due to poor security hygiene if you get attacked through a known vulnerability. 

3. Have an Incident Response Plan in Place

Marian Reed’s team advocates for constant, vigilant security management practices.

She says, “It’s about knowing what your patch and vulnerability policies are, and about adhering to them. And if you’re impacted, it’s about knowing the breadth of that impact.”

It’s crucial to have an incident response plan in place because it’s not a good time to implement inventory catalogs or emergency patching plans after a crisis. With good core policies and practices, you have a well-understood list of tasks to help your team enact emergency procedures and triage remediation if there’s a cybersecurity incident. 

4. Conduct regular threat modeling exercises

Andrew Stevens discussed the benefits of threat intelligence exercises. He states, “Where threat intelligence helps you is in modeling the types of threat actors that are operating in your industry and your sphere and looking at their behavior, tactics, and techniques.”

Therefore, once you know what you’re dealing with, you know how to defend against it.

For small to mid-sized companies that don’t have an in-house team, our experts recommend a vSOC. A vSOC is an outsourced, comprehensive data monitoring solution in which security analysts monitor an enterprise’s digital network twenty-four hours a day. This helps to detect any suspicious activity and immediately responds to emerging threats. A Security Operations Center (SOC) is imperative in today’s digital landscape. Not only does it help your enterprise meet regulatory compliance, but it provides real-time security and reporting to help triage potential risks before they become a bigger issue.

5. Hire ethical hackers to do penetration testing and attack simulations

 Poor preparation is the number-one issue with cyberattacks. If you don’t have a proactive, security-first company culture that continuously assesses your security measures, it’s like bringing a knife to a gunfight. Most businesses, particularly small- to midsize enterprises, are woefully unprepared for zero-day attacks—and the threat actors know it.

Even worse, most hacking groups are well-funded and well-armed with talent, able to create thousands of new malware variants each month, along with impeccably crafted phishing emails. As a result, they’re exploiting zero-day vulnerabilities and circling the cyber waters like sharks to find unprotected weak spots in code. 

While this exploit is bad news, there is hope on the horizon; according to Joaquin Paredes, the Director of OffSec at VerSprite, “Our team can use these vulnerabilities to our advantage. We’re getting as much information as we can, and now we are better prepared when it comes to performing an adversarial engagement.” 

Regarding the MOVEit vulnerability, we can analyze the attack surfaces at your organization, find vulnerable resources affiliated with MOVEit, and identify specific instances. We recommend conducting penetration testing to simulate real-world attack scenarios. By attempting to exploit the identified vulnerabilities in MOVEit, we gain insights into the potential impacts of an actual cyberattack. Then the team can help you remediate any issues.

Final thoughts

However, we don’t recommend exclusively focusing resources on preventing an attack. Instead, assessing your organization and determining the threat landscape is essential. Once you understand the viable risks, you can ascertain the threat actors’ motives and better defend against them.

VerSprite has a variety of tools to help you change your security mindset from detection to prevention.

VerSprite can help your enterprise detect and defend against zero-day threats, as well as other cybersecurity attacks. Depending on your risk appetite, you can utilize a mix of these tools to improve your security posture and create a strategy to mitigate the effects if the worst happens.

•   Regulatory risk assessment
•   Business impact analysis and asset management
•   Threat analysis and vulnerability assessment
•   Penetration testing

VerSprite can help your enterprise detect and defend against zero-day threats, as well as other cybersecurity attacks. Depending on your risk appetite, you can utilize a mix of these tools to improve your security posture and create a strategy to mitigate the effects if the worst happens.

We hope that the information answers some questions about the MOVEit ongoing threat. If you have concerns about your organization being affected, contact us today.