Skip to main content

MOVEit Data Breach Explained (Briefly) (Video)

 

Transcription of MOVEit Data Breach Explained (Briefly) (Video)

01:34

Alright, everyone wanted to take the shortest time possible. There’s a lot of chatter about the MOVEit data breach. And maybe you’re familiar with it, maybe you’re not. But it does show the importance of a few things that I wanted to touch base on. So first, I want to explain that the move is it data breach, which was almost exactly five months ago, today, tomorrow will be five months, so was on May 27, of this year that it was discovered. It is a supply chain attack, not the perfect example of a supply chain attack. But it is yet an example of a supply chain attack in the IoT world, meaning a third party was used to gain access to systems that it would not normally have access to. And it was done by the Cl0p ransomware gang out of Russia. And I’ll get to the numbers in a minute. But I want to explain what a supply chain attack is. We have seen a few of these over the last few years, probably the most famous one, and at least in the IT world was the SolarWinds attack, or someone got a hold of the server that was used to update SolarWinds software and edited the code for the software. And that code was pushed out to a bunch, of SolarWinds clients. We have seen this with a few other vendors out there that have been attacked, and their software updated and pushed out to other clients. But we also see this seems like once or twice a year, at least with file transfer software. And that is what move it is is a file transfer software. So, a supply chain attack also known as a third-party or value chain attack is a type of cyber-attack that targets an organization by compromising the security of a trusted partner or supplier within the supply chain. So, in other words, in the example of move it, it was you know, it targeted the move in IT software, and it used SQL injection, which is a way of saying that they compromise the data inquiry of the software to inject its own code. It was a zero-day vulnerability. A zero-day just means that the vendor, in this case, I forget the name of the company now but the vendor for moving file transfer software was infiltrated through this injection this code is usually just a few lines of code that are used to get in this happens a lot with websites and things like that. But in this case, it happened with this file transfer software. So, the attack infiltrated the software in this case, but it can also be used to infiltrate hardware or services. Again, it is a service provided by moving it or MOVEit I should probably look up the name of the company, but it is let me see if I can find it here quickly. Oh, progress software. That is it. So, progress software is the name of the company. They are there. They had a zero day which means that progress software was unaware that there was a problem. And so, the clop ransomware group found the problem found the vulnerability, and exploited it. So that is a supply chain attack. So in other words, if you are using some type of file transfer software to move files between yourself and a client of yours, and that file software gets hacked, all of those files are now at risk of being exposed. In this case, they were stolen, probably on the dark web probably for sale. Here’s how a supply chain attack typically works. And again, this one is a little modified from this but not close. So, in a compromised supplier, in this case, its progress software, the attacker identifies a vulnerable or unsuspecting supplier, which could be a software vendor, hardware manufacturer, service provider, or any other organization that has access to target organizations, networks, or systems. So, in this case, there are 1000s of targets. And I don’t know who the intended targets were. But ultimately, there were over 2000. At this moment, over 2000 organizations have been impacted by this infiltration, the attacker compromises the security of the supplier by exploiting vulnerabilities using malware or employing social engineering tactics. You know, in the case of this SolarWinds attack a few years ago, there were rumors that it was a phishing attack, which is a form of social engineering. There are also rumors that their FTP server, which is also file transfer, was using a weak password. And they got into that. So, this can involve inserting malicious code, which is a SQL injection is malicious, malicious code, where backdoors into suppliers’ products or services, distribution through compromise software, hardware, or services are distributed to the target organization as part of their regular supply chain. In this case, they are moving documents back and forth, files back and forth. And because those were all compromised, since the supplier is trusted to target organization is less likely to scrutinize the components for security issues. And that’s problem number one, you should constantly be vetting any third-party systems, and you should constantly be checking for vulnerabilities and updates as as they are available. And you should be checking in with that vendor and saying, hey, what have you done lately to make sure that you are secure? So, what are their risk assessments, what do their risk assessments look like? Because part of your risk assessment should include their risk assessment and exploitation. Finally, you know, this is when the other foot drops want to attain and components are integrated into the target organization systems, the attacker can exploit the vulnerabilities or backdoors to gain unauthorized access, steal sensitive data, disrupt operations, or carry out other malicious activities. Supply chain attacks can have severe consequences. And they have in this case, and I will get to that in a moment, as they can potentially impact many organizations and individuals who rely on the compromised products or services. These attacks are particularly concerning because they exploit trust within the supply chain making it challenging for organizations to detect and defend against them. So, here is how you met to mitigate those risks. You vet and regularly assess the cybersecurity practices of the suppliers and third-party partners we just talked about. And we’ve seen this time and time again, you know, the credit card processing for Target was compromised years ago, I don’t I don’t remember how many years now, but it was a while ago. This is a sort of supply chain attack. And there have been numerous examples of this. But each example seems to be worse than the last. Okay, this one is going to have a huge impact. File transfer services seem to be one of those services that get targeted quite a bit, implementing strict security controls and monitoring measures for all components within your supply chain. Stay informed about security vulnerabilities and updates related to the software and hardware they use. Now, I do not know the numbers and I do not think anybody does. However, there are several organizations that were compromised after the update came out. Progress software did release an update fairly quickly, once they realized there was an issue, but a number of the organizations out there that were using MOVEit did not push that update through and there are still people getting compromised, you know five months later employ robust intrusion detection and prevention systems to detect and respond to suspicious activities and establish an incident response plan to address and mitigate the impact of a supply chain breach if one occurs and we will be talking about incident response plans next week for our Tech Tuesday at noon. So, if you want to register for that and watch tech.com/tech talk, it is free to attend. So come on, come on over. It is a webinar additionally; organizations should stay vigilant and collaborate with the suppliers and your industry and peers to enhance chain security and resilience. One of the things we talk about all the time in the IT world is the lack of collaboration. It seems to be very siloed. Many IT providers, service providers, and internal IT groups do not want to work together. I have experienced this both in enterprise organizations and as the owner of an MSP. I have personally tried to change this. I am working with two other IT providers right now on a project to educate people on the scams of the world. But it is still a big problem for the IT world where we do not work together. Now, as far as the victims, so far, as of yesterday, 2368 organizations have been impacted. So far, somewhere between 65 and 70 million individuals have been impacted by this breach. Of the 2368 organizations, 2066 are in the USA and 148. In Canada, that is most of the breaches. And that does not include 12 in Puerto Rico, which should be considered part of the USA. In the USA, so let us get to that. There was just a report recently about a large educational system being involved in this.

 

11:32

So, I want to get to that. I do not know if it’s on this list, but it’s pretty large. Many healthcare organizations have been impacted. And as a matter of fact, it might be a record year for HIPAA breaches as far as the number of records breached, I have to double-check that, but I know it’s getting close. So, it might be a record year for that. HIPAA breaches. And that is a big reason for that. A big part of the reason for that is the number of HIPAA, the number of healthcare organizations impacted by the move it I move it, I keep saying move it, it’s move it data breach, move it file transfer, service, data breach, and still trying to get to at least for the US, it’s huge. So, there are 265 colleges, a charter schools in Northern California. A couple of churches and bus companies, this is so nondiscriminate. It’s going all over the place.

 

12:48

There were 13 IT providers, and a couple of academies, I do not know if that would be considered educational, but I would think so. Some even some AI automates automotive suppliers. I’d be curious because I do a lot of work in the automotive industry. So, we have EY Law LLP.

 

13:18

That is who’s representing them or if that’s who you have. And there are several lawsuits already popping up. So, IBM is being sued now, and several other organizations are being sued because of this ultimately should fall on it well, so it depends. So, the responsibility falls on Progress software before the patch after the patch, it falls on the organizations that did not push the patch, so 265 colleges were impacted. We had some organizations here in Connecticut where we are based impacted including Waterbury Hospital. There was a bank I believe was impacted by college systems Community College, there were 188 Community Colleges impacted by the community college system. There were local government agencies impacted including Baltimore County, and Allegheny County in Hillsborough, Hillsborough, there were 18 credit unions. Let us see. I’m looking for it now. To see if I recognize we are a bunch of 32 in the financial services industry. Plus, some FinTech 17. Government agencies impacted us health department law firms, health care systems, health departments, health insurance, 21 health insurance agencies, 78 healthcare agencies, so you can see 13 high schools, and I think that number might have gone up. Insurance companies, I do not know if these are agencies These are companies. Well, The Hartford was impacted here that is here in Connecticut. It services providers 13 of them. So, we don’t use move it. So, we have not been impacted by this, but three law firms to law schools. So you can see this, you know, the list goes on one military school 11 pension plans that could be scary for those pension plans. So quite a large number of organizations have been impacted by this. A few software vendors, seven in technology, one TV station 441 University. So, on top of the other schools already mentioned, there are 441, universities. What about? Again, just to reiterate, you should be vetting any vendors you work with. And not just once, not just the beginning, but over and repeatedly. You should be issuing any patches, as soon as they are available, especially if it is related to a zero-day, which I am sure primer software made, made their customers aware that this is going to be a huge hit to progress software, and they will not be trusted for quite some time. And you know, a lot of people, there are people in the IT world that will tell you all well, now that they have been hacked, there will be more secure going forward. Well, that was true. That might be true. However, you know, they said the same about SolarWinds. And there was a new vulnerability for SolarWinds. Just recently, after a breach a few years ago, there was another vendor that Okta I think, has had a few vulnerabilities now. And when I was researching this, I did see something about MOVEit from 20. I think 2018 or 2017. I’m not sure what that was if there was another breach. Let me see if I can find it again. Yeah, see, now I cannot find it. But there was something coming up for 2017 or 2018. So, I do not know if there was another breach back then. But very possible. So, make sure you are pushing your software updates. Make sure you are vetting all the vendors you work with not just once but continuously. Any risk assessment should be continuous and ongoing. It should not just be a one-and-done. type deal. So that is it for today. We will talk about incident response plans on Tuesday. So, make sure you sign up for that and we are at unwashed tech.com/tech talk. I will leave notes in the I’ll leave a link in the notes for this. Till next time, stay secure

Leave a Reply