When it comes to cybersecurity breaches, few events have sent shockwaves through the industry quite like the MOVEit ransom attack. If you are not familiar with what has been happening in regard to this ransom attack until now, this blog will clear things up. Let’s start by understanding who MOVEit is and what actually happened.
MOVEit is both a SaaS-based and on-prem managed file transfer (MFT) software solution, offering the ability to automate the movement of data, transfer documents at scale, and more. On May 31, 2023, a critical zero-day vulnerability (CVE-2023-34362) was announced that struck at the heart of MOVEit Transfer and related MOVEit Cloud products. Since June 14, 2023, the names of breached companies and some of their data have continuously been exposed to the public via the dark web, where the only way to stop the exposure would be through the ransom payment.
Who is behind the MOVEit ransom attack?
The attack has been claimed by the notorious Cl0p group, a threat actor that has a track record of exploiting zero-day flaws and extorting their victims. This particular group has made a name for itself through high-profile breaches, including exploits targeting PaperCut (CVE-2023–27350 & CVE-2023–27351) and Forta GoAnywhere MFT (CVE-2023-0669).
They don’t shy away from taking responsibility for the MOVEit attack as they have continuously posted details on their own website. Cl0p has been an active player on the cybercrime scene since February 2019 and is believed to have ties to Russia. While they cast their net wide, their primary focus remains on organizations in the US, Canada, the UK, and Germany. Additionally, the U.S. State Department has announced a $10 million bounty for information about the infamous Cl0p ransomware group.
To put things into perspective, at the time when the vulnerability was published, Censys discovered over 3,000 exposed hosts utilizing the MOVEit transfer service – painting a picture of how the vulnerability had caught many off guard. Meanwhile, two more critical vulnerabilities found in MOVEit, CVE-2023-35036 and CVE-2023-35708, were identified and published since the first one was exposed.
These vulnerabilities allow an unauthenticated attacker to submit a crafted payload to a MOVEit Transfer application endpoint, which could result in modification and disclosure of MOVEit database content. Although at this time, there are no indications that those newly discovered flaws are being exploited in the wild.
The cost of a single vulnerability in the MOVEit ransom attack
Unfortunately, the aftermath of this attack has been far from pretty, with the end not yet in sight. Reports have poured in from the victims, and even victims of those victims, of the attack – revealing the extent of the data breach. The scale of the impact is staggering, with estimates pointing to hundreds, if not thousands, having had their data exposed.
The repercussions extend far beyond the immediate victims. The interconnected nature of today’s SaaS landscape means that the fallout from this breach cascades down the supply chain, affecting not only MOVEit customers but their customers’ customers as well. It is a reminder that a single vulnerability can trigger a domino effect, compromising a seemingly endless chain of information.
Take the case of Gen Digital, the parent company of Norton LifeLock. In this example, some personal data that included the names, company email addresses, employee ID numbers, home addresses, and dates of birth of Gen Digital employees and contingent workers were accessed in this MOVEit attack. In addition, Zellis, a SaaS provider of payroll and HR solutions were also the unfortunate victims of the MOVEit exploitation and were the starting point for data breaches across numerous Zellis customers.
How did the MOVEit ransom attack happen?
Before we look at how it happened, it is important to understand what is ransomware. Ransomware is a type of malicious software that encrypts files on a computer or network, rendering them inaccessible until a ransom is paid to the attacker. Ransomware has been a rising trend in the last few years due to the “easy” financial gain. In the ransomware field, most companies are focusing their efforts on endpoint security. But it is not enough as many companies are now storing and accessing sensitive data in SaaS applications. Moreover, researchers show that ransom attacks on SaaS data are more likely to succeed, and are the hardest to recover from.
In this case, attackers first exfiltrated sensitive data from their victims, ensuring they had a bargaining chip in hand. Then, armed with this valuable information, they issued an extortion note containing instructions for negotiation. Here, Cl0p took it a step further by publishing the blackmail message on their website on the darknet, leaving victims in a state of anxiety until the deadline on June 14, 2023.
Four risks of a ransom negotiation
Increased public exposure:
Victims who are unaware of the attack or the fact that their sensitive information is at risk will likely fail to take necessary measures to protect themselves. This increases the likelihood of the attackers publicly releasing the stolen data, leading to reputational damage, legal consequences, and potential harm to the victims’ customers.
Customer data compromise:
Organizations that are unaware of the attack and the sensitive information at risk not only put their own data but also their customers’ data in danger. This can result in serious consequences, including identity theft, financial losses, and reputational damage for both the organization and its customers. For example, customer data would have still been exposed even if Zellis was not aware of the breach, or the use of the application within their organization.
Delayed response:
By requiring victims to initiate negotiations, the attackers gain the advantage of time. This delay allows the attackers to exploit the situation further, potentially escalating the consequences or taking additional actions while the victims remain unaware.
Lack of control:
Victims lose control over the negotiation process when they are forced to approach the attackers. The attackers can dictate the terms and conditions, potentially demanding higher ransom amounts or imposing additional unfavorable demands.
Using SSPM to mitigate against a ransomware attack
The implications of these risks are far-reaching, underscoring the urgent need for organizations to take proactive measures in addressing cybersecurity threats, specifically those concerning SaaS. Implementing a comprehensive SSPM solution like Wing Security is crucial in this rapidly evolving landscape to stay ahead of threat actors who use every opportunity to breach an organization.
As a starting point, Wing provides full visibility over all SaaS applications, giving security professionals the ability to detect risky SaaS applications and remediate them quickly. By providing robust monitoring and management of app permissions, Wing enables better visibility into potential risks but also clarity on user and file accesses. Our Threat Intelligence team is constantly monitoring the dark web for the latest breaches and updates – providing value to organizations by alerting them when new threats are detected. This allows organizations to quickly respond to threats, helping to minimize the impact of sensitive information leaks and ensuring the protection of both the organization and its customers from potential harm.
Want to know more about how Wing is making SaaS usage more safe?
