Description
There is an adage that says, “Old habits die hard.” Exploitable vulnerabilities die equally hard as well. It was May 28, 2023, when the MOVEit vulnerability was first identified. MOVEit is a secure Managed File Transfer (MFT) software developed by Progress Software that securely transfers files and data between servers, systems, and applications. The vulnerability known as CVE-2023-34362 allows hackers to bypass authentication on unpatched systems to access files. Since the day of the discovered zero-day vulnerability, more than 2,650 organizations have been impacted by this vulnerability.
The number may have grown as more than 5 million records from 25 organizations were recently found posted to a Black Hat forum in November of 2024, eighteen months after the initial discovery. The newly discovered data trove includes information from global corporations such as Amazon, MetLife, HP, 3M, and McDonald’s. Amazon confirmed that employee data, including contact information and building locations, was part of the stolen information. Similarly, Delta Air Lines acknowledged that their internal directory was compromised, but emphasized that the leaked data was limited to non-sensitive information like names, contact details, and office locations.
Actions Taken
Both Amazon and Delta were able to trace the breach back to a third-party vendor’s use of the MOVEit tool. Both third party organizations have properly patched their systems and are no longer vulnerable. Amazon has conducted comprehensive security audits to identify and address any potential vulnerabilities within their systems and has confirmed that Amazon and AWS systems are secure and were not a part of the breach. They have also increased employee awareness and training on cybersecurity best practices to prevent future incidents
Prevention
The continued aftermath of the MOVEit zero-day vulnerability shows that your information is only as secure as your supply chain. We are told never to “assume” anything and that includes the security level of your supply chain vendors. Some basic security measures that can help reduce your risk to exploitable third-party components include the following:
- Patch critical vulnerabilities with priority. Obtain threat intelligence related to the applications that are used for awareness so appropriate action can be taken such as isolation of the application to block access until a security patch is available.
- Monitor the movement of large data sets out of your environment.
- Consider using HTTPS for data transfers vs. FTP and protect it with a Web Application Firewall (WAF). A WAF protects against the type of attack associated with the MOVEit vulnerabililty (SQL Injection) and many others.
- Create and maintain an accurate inventory of all hardware, software, and network components to identify vulnerable systems quickly.
- Educate employees about supply chain attack risks and how to recognize potential threats.
- Develop a comprehensive incident response plan (IRP) and conduct regular simulations and updates to ensure readiness for potential security breaches.
- Implement access control policies based on the principle of least privilege (PoLP) that minimize the potential impact of compromised accounts by restricting their access rights.
Another effective measure is to engage an outside security team to conduct a risk analysis to assess the likelihood and impact of various threats which will allow for the implementation and prioritization of preventive security measures. HALOCK’s security experts maintain up-to-date knowledge of known vulnerabilities and can swiftly identify your organization’s specific risk exposures.
HALOCK recognized in 2024 Verizon Data Breach Investigations Report (DBIR) on how to estimate risk.
Estimate risk based on real threat data. Read Appendix D in the 2024 Verizon Data Breach Investigations Report (DBIR) to augment your risk analysis.