We use cookies to improve your experience. Do you accept?

Was it Possible to Stop Cl0p’s MOVEit Attack? You Bet!

Was it Possible to Stop Cl0p’s MOVEit Attack? You Bet! - Featured Image

Security Collaboration Jun 22, 2023

Organizations worldwide are under attack by threat actors exploiting the recent MOVEit Transfer zero-day vulnerability. Many of them still remain vulnerable despite the availability of patches. To date, Cl0p has claimed that they have stolen data from over 100 organizations , and more continue to come forward reporting breaches. Could the impact of this attack have been avoided? The answer is a resounding yes! Here’s why and what should have been done.

On May 31st, 2023 , Progress Software issued a security notice to users of MOVEit Transfer regarding a vulnerability that allowed privilege escalation and potential unauthorized access to their environments. CVE-2023-34362 was assigned to this vulnerability on June 2nd. The security notice advised users to review their systems for unauthorized access for at least the past 30 days. Further investigation revealed multiple SQL injection vulnerabilities in the MOVEit Transfer web application that allowed an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.

The timing is interesting. Cl0p didn’t launch a large-scale attack campaign until Memorial Day weekend in the U.S. This demonstrates the sophisticated planning behind targeting the first wave of victims. The victim count could rise further until these vulnerabilities are addressed. This vulnerability can and should have seen widespread patching from day one. Unfortunately, the reality is likely something very different.

The attack spree is a strong testament to the sophistication of today’s threat actors. In the case of zero-days, defenders are most often caught off guard and early victims are generally inevitable. The unfortunate reality is that such attacks will continue and the craftiness will only increase. However, the scope and breadth of attack success can be dramatically reduced. It’s high time for new perspectives and different realities to emerge.

Timely alerting, Collaboration , and Threat Intelligence sharing offer much promise. Cyware’s customers include over 90% of ISACs who leverage our Collaborate (CSAP) platform to share threat advisory and intel with thousands of their member organizations. Following the ISAC model, some large organizations have built independent threat sharing communities (“ISAOs”) to share intel and advisories with their suppliers , strategic partners , subsidiaries , and the like. Expediting intel sharing, broadly, would reduce the impact of critical vulnerabilities, such as the one in MOVEit Transfer.

The MOVEit vulnerability is a timely reminder of why large enterprises need to build their own ISAOs for sharing intel with their suppliers. In this crunch situation , large companies are reaching out to their suppliers to confirm that they don’t use MOVEit internally and are left tracking the responses from suppliers with spreadsheets.

On the other hand, here’s how organizations using Cyware’s Collaborate (CSAP) platform are responding to this vulnerability:

  • They warned their suppliers proactively about this vulnerability when it was first reported on May 31st - not several days later when it started trending in the mainstream media after threat actors exploited it to carry out ransomware attacks.

  • Sent a ‘Threat Assessment’ query to all of their suppliers, asking them to certify that they don’t use MOVEit or have a plan to address it within “X” days, if they do.

  • Allowed their suppliers to benefit from collaborative discussions over “Messenger” and even offered their own security expertise to help them patch the vulnerability or mitigate ransomware threats.

  • Leveraged the Threat Detection Marketplace to search for and apply detection content available for MOVEit exploitation.

It’s a strong use case that Collaborate (CSAP) offers for security teams to bring in the much-needed change for addressing supply chain risks through threat intelligence sharing.

The bottom line is that we are stronger together. Collaboration and coordination between government agencies, regulators, enterprises, suppliers, vendors, business units, and SMEs are extremely critical in minimizing the impact of such threats. Security collaboration yields a more proactive cyber defense and shrinks the attack surface for organizations and, consequently, the scope and impact of any potential intrusions.

Find out more by scheduling a free demo.

Related Blogs