Bitdefender Completes Acquisition of Horangi Cyber Security
logo

EN

Products +

Services +

Customers +

Partners +

Resources +

Careers
Sign InContact Us
Cloud Security

MOVEit Breach: The Largest Data Theft of 2023 

This blog post dives into the MOVEit breach 2023, a significant cybersecurity incident impacting organizations and individuals globally. We explore the key factors contributing to the data breach, including the role of third-party risk management, incident response, and vulnerability and patch management, highlighting crucial lessons learned and strategies organizations can adopt to mitigate similar risks in the future.

Manggala Eka AdideswarManggala Eka AdideswarFeb 20 2024

In today's cyber landscape, many organizations outsource critical functions, including IT solutions. While outsourcing offers significant benefits, it also introduces risks, especially when third-party vulnerabilities are exploited. The recent MOVEit vulnerability case exemplifies this which saw a single breach affect numerous global customers, including over 2,600 organizations and almost 84 million individuals. Mature third-party risk management practices are essential in such scenarios, as well as robust incident response planning and vulnerability and patch management.

Detailed Look into The Breach

The MOVEit Transfer application is a solution that allows for secure file transfers using HTTP, SCP, or FTP. The application is used by thousands of organizations, including governments, financial institutions, and other public and private sector bodies worldwide. The end customers use the applications to send and receive files and information, including those classified as sensitive. The vulnerability involved the exploitation of SQL injection on public-facing servers with file transfers facilitated through a custom web shell, which leads to escalated privileges and potential unauthorized access in the environment where the application is installed. Progress Software,  the MOVEit provider, and cybersecurity firm Huntress discovered vulnerabilities in the MOVEit application and issued several recommendations and patches for the found vulnerabilities between May and June 2023. 

A cybercriminal group known as Cl0p, claimed responsibility for exploiting the vulnerability. CI0p have been known for exfiltration of sensitive data and threatening to release stolen data as leverage to extort payment from as many organizations as possible before the organizations patch the vulnerability. While the MOVEit team provided rapid response and handling of the incident by quickly providing patches, as well as regular and informative recommendations to customers, the exploited vulnerabilities still affected government, public, and business organizations worldwide, including governments such as, Canada and United States and global companies like BBC, British Airways, Boots, Aer Lingus, Ernst & Young, and Ofcom. Significant impacts of this breach may be attributed to organizations having MOVEit exposure within their third party framework, including vendors’ subcontractors that used MOVEit. Another cause to be attributed to the impact is also the critical time windows involved: the period before the release of the patch (zero-day), the time required for organizations to respond to the incident effectively, and the duration needed to implement the patch successfully. Each of these phases is crucial, and delays or inefficiencies in any can exacerbate the vulnerability and extend the risk exposure.

Lessons to Mitigate Future Risks

While most of the time organizations cannot avoid being affected by a zero-day vulnerability like in the MOVEit case, organizations can learn that there are domains within security that can prepare your organization to ensure that we reduce the risk to as low as possible if this kind of incident happens in the future. The security aspects that organizations can better prepare include:

Security incident response

The inadequate incident response likely intensified the MOVEit breach. To appropriately respond to the MOVEit disclosed vulnerability, organizations using the MOVEit need to focus on containment by isolating the impacted server, clearing the active session, rotating the credentials implementing the released patch, and hardening on the MOVEit Transfer application, and also the impacted environment, including Azure Storage and IIS Web Server as recommended by Mandiant. The initial delay in performing all these may have escalated the breach. As a detective and corrective controls, when the incident happens, aside from patching the vulnerability, the organization needs to contain the incident and perform an investigation to understand the nature of the incident, e.g., identifying the data that has been lost or stolen. The organization needs a mature, effective and tested security incident response plan to implement this process, which also requires a coordinated effort across different departments. Organizations also need to note that there are some compliance requirements that require public companies to issue disclosures within defined time windows discovering a cybersecurity incident which will need to be integrated in the incident response procedure as well..

Horangi has extensive experience developing and refining security incident response plans for our clients. We can help your organization establish a comprehensive plan with immediate containment strategies, thorough investigation protocols, and swift remediation actions. This ensures prompt response to incidents, managing and reducing the potential risk. We are also able to support by simulating an incident and taking you step by step through the plans to help educate and make all relevant stakeholders within your organization aware of their responsibilities and duties.

Third-party risk management

As MOVEit is a third-party provider for file transfer, this breach highlighted the risks associated with supply chain and third-party service providers as  a lack of oversight and management of third-party providers can lead to significant data breaches. Learning from the MOVEit case, organizations should understand that if they use third party services to handle sensitive data, they should assess the security controls of the third party and ascertain whether it is adhering to industry recognised standards or best practices. The organizations also need to ensure their contract covers security obligations and a base level of adherence to industry recognized standards. Once all above has been performed, only then the organization can conclude whether the use of the particular third-party services aligns with its risk appetite. Thus, as one of the preventive controls, the organization needs to have a mature third-party risk management framework in place to appropriately manage the risk of data handling and associated processes.


Horangi can assist in developing a comprehensive third-party risk management framework tailored to your specific needs that evaluates, monitors, and manages the security posture of your third-party providers.

Vulnerability and patch management

In the MOVEit vulnerability case, the delayed response in patching known vulnerabilities likely allowed the exploitation to continue unmitigated. As part of the vulnerability and patch management process, organizations need to implement a process for prioritizing patches based on the severity of vulnerabilities. Also, before widespread deployment, timely testing of  patches in a controlled environment ensures they do not introduce new vulnerabilities or affect system functionality. Last but not least, organizations must conduct regular scans to identify and address vulnerabilities before they are exploited.

Horangi's expertise includes advising on effective vulnerability and patch management strategies. We can also help your organization assess your existing vulnerability and patch management process and perform periodic vulnerability assessments to reduce the window of opportunity for attackers.

Conclusion

In conclusion, the MOVEit breach is a blunt reminder of the importance of comprehensive cybersecurity practices not only internally but also on third party and supply chain security. By focusing on enhanced incident response, thorough third-party risk management, and diligent patch management, organizations can significantly reduce their vulnerability to such incidents. Horangi is ready to partner with organizations to strengthen these critical areas, ensuring a robust and resilient cybersecurity posture.

References:

Manggala Eka Adideswar
Manggala Eka Adideswar

Manggala Eka Adideswar ("Adi") is the Head of CyberOps Indonesia, Horangi. Adi is specialized in cybersecurity strategy, security compliance assessments, and penetration testing.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.