The MOVEit Hack: What You Need to Know

The intricacy of the MOVEit hack is having a profound impact on many public and private organisations. But will these organisations learn the crucial cybersecurity lessons this moment will ultimately teach them? 

First Published 4th July 2023

♫ I like to move it move it ♫

3 min read  |  Reflare Research Team

Hack of the week

In the constantly evolving cybersecurity landscape, vulnerabilities and data breaches are common, but few manage to shake the foundations as the MOVEit hack did.

With over 130 organisations and millions of individuals believed to be impacted, this attack is a startling reminder of the stealth and sophistication that cyber adversaries are capable of. As professionals who stake their reputation on defending against such threats, understanding the intricacies of this attack is essential. This article takes a deep dive into the various aspects of the MOVEit hack, critically analysing its execution, the actors involved, the range of victims, and reflecting on the lessons to be learned.

What is MOVEit?

MOVEit is a Managed File Transfer (MFT) product by Progress Software that is employed extensively to transfer sensitive data among systems securely. Organisations around the globe, especially those handling confidential data and seeking compliance with industry regulations like PCI, HIPAA, or GDPR, heavily rely on MOVEit for its believed security and reliability. Its extensive adoption has made it an appealing target for cyber adversaries seeking to exploit vulnerabilities for monetary gains or other malicious intents.

Furthermore, MOVEit is trusted by government agencies, healthcare providers, and financial institutions for secure and compliant file transfers. It is utilised to automate file-based business workflows, reducing complexity and strengthening administrative control.

The Zero-Day Vulnerability

At the core of the MOVEit attack was the exploitation of a critical zero-day vulnerability, tracked as CVE-2023-34362. Zero-day vulnerabilities are those for which no official patch is available at the time of exploitation, making them particularly dangerous. This specific vulnerability was a result of an SQL injection, which, despite being one of the oldest types of vulnerabilities, remains a formidable threat. Such vulnerabilities arise from coding flaws that do not validate input properly and are considered preventable.

The exploit allowed unauthorised access to sensitive data that was being transferred using MOVEit. This vulnerability's sheer scale and potential impact were further exacerbated by the fact that some MOVEit users did not promptly install the patches issued by Progress, leaving their systems exposed even after the vulnerability was known.

Behind the Attack: Cl0p Ransomware Group

Attribution in cyber attacks can be tricky, but in this case, the Cl0p ransomware group boldly claimed responsibility. This group, linked to Russian cybercriminals, is notorious for its ransomware attacks and has been actively operating the Cl0p ransomware. In their modus operandi, they often demand ransoms in exchange for not releasing sensitive data. Notably, the Cl0p group claimed to have known about the MOVEit zero-day exploit before it was patched and boasted that they were the only threat actors aware of this. This speaks volumes about their capabilities.

Moreover, the group demonstrated an audacious and relentless approach, naming and shaming organisations that did not comply with their demands. This approach, combined with their advanced knowledge of the exploit, showcases a level of sophistication and determination that poses an enormous challenge to the cybersecurity community.

Timeline and Scope of the Attack

The first signs of this exploitation spree were observed on May 27, 2023. Progress acted promptly and patched the vulnerability four days later. However, even with the availability of a patch, the exploit continued to wreak havoc as some organisations had not updated their systems.

The Cl0p group started naming the organisations, especially those that refused to pay the ransom or enter negotiations. The scope of this attack is massive - Brett Callow, a threat analyst at Emsisoft, is aware of 140 organisations that have been impacted by this campaign, and the personal information of more than 15 million individuals has been compromised.

The list of government entities caught up in this attack included the US Department of Energy, the Health Department, the New York City Department of Education, and the Oregon Department of Motor Vehicles.

Driver licence data for millions of Oregon citizens was stolen, and the New York City Department of Education disclosed unauthorised access to approximately 19,000 documents containing sensitive data including Social Security Numbers.

Lessons and Countermeasures

This attack should serve as a wake-up call for cybersecurity professionals. Key takeaways include:

Patch Management

Timely installation of security patches is critical. MOVEit users who did not update their systems even after the patch became available remained vulnerable.

Monitoring and Detection

Constant monitoring for any unusual activities or access within the network can help in early detection.

Incident Response Plan

A well-structured incident response plan is essential for minimising damages and ensuring a systematic recovery.

User Education

Regular training and awareness programs for employees can ensure they understand the importance of following security protocols.

Collaborative Defence

Sharing information about threats and vulnerabilities within the cybersecurity community can help in proactively defending against common adversaries.

Multi-factor Authentication (MFA)

Implementing MFA can add an extra layer of security, making it difficult for attackers to gain unauthorised access even if they exploit a vulnerability.

Network Segmentation

Separating networks can contain the breach and prevent it from spreading throughout the organisation.

Regular Security Audits and Code Reviews

Identifying and fixing vulnerabilities before they can be exploited is crucial. Regular security audits and code reviews can help in identifying security weaknesses.

Concluding Remarks

The MOVEit hack is a stern reminder of the evolving nature of cyber threats. As cybersecurity professionals, continuous vigilance, education, and proactive measures are essential in safeguarding organisations against such threats. The hack serves as a learning opportunity for organisations to reassess their cybersecurity posture and make the necessary improvements to mitigate the risks of future attacks.

Stay up to speed on the latest cybersecurity trends and analysis with your subscription to Reflare's biweekly research newsletter. You can also explore some of our related articles to learn more.