MOVEit Data Breach: Key Learnings and Actions for UK SME’s
In June 2023, a notable cybersecurity event known as the “MOVEit Breach” took place. This incident related to MOVEit, a managed file transfer tool created by Ipswitch, Inc., a subsidiary of Progress Software. From May 2023 onwards, a critical vulnerability within the software was exploited by malicious actors, leading to unauthorised data access from prominent organisations including Shell, British Airways, and the United States Department of Energy. While the complete magnitude of this breach is yet to be fully ascertained, preliminary research indicates that the scope of compromised data and the number of affected individuals surpass initial estimates, according to the UK National Cyber Security Centre. Specifically, health data spanning from January 2010 to May 2023 has been jeopardised. Presently, it is estimated that a minimum of 60 million individuals are impacted by the exploitation of MOVEit file transfer servers.(Source)
As firms worldwide grapple with the aftermath, it becomes imperative to adopt rigorous measures to safeguard one’s digital assets. In light of TWC’s UK Cybersecurity Report, it’s pertinent to note that, subsequent to ransomware, supply chain attacks stood as the second most lethal cyber threat, accounting for a staggering 12% of the most severe cyberattacks in the UK between 2006-2022. This article aims to offer a comprehensive insight into this major attack, paired with a suite of actionable recommendations to fortify your firm’s cyber resilience.
TOP 6 Key Learnings of the MOVEit Breach
| MOVEit Data Breach Overview | |
|---|---|
| Date Identified | June 2023 |
| Software Developer | Ipswitch, Inc. (a subsidiary of Progress Software) |
| Start of Exploitation | May 2023 |
| Major Entities Breached | Shell, British Airways, U.S. Department of Energy |
| Scale Indications | UK National Cyber Security Centre suggests the breach magnitude might be larger than initial estimates |
| Specific Data Jeopardised | Health data from January 2010 to May 2023 |
| Estimated Affected Individuals | Minimum of 60 million |
FACT #1: The Actors behind the MOVEit Breach
In line with reports from the Cybersecurity and Infrastructure Security Agency, as well as the Federal Bureau of Investigation, the breaches are attributed to Cl0p, a cyber group with affiliations to Russia.(Source)
FACT #2: Date of MOVEit Exploitation
From May 2023 onwards, there have been noted instances where a vulnerability within the software has been leveraged by unauthorised entities, leading to data breaches in several organisations, notably including Shell, British Airways, and the United States Department of Energy.(Source)
FACT #3: 40+ million affected Individuals and 1000 organisations affected by the MOVEit Data Breach
While the complete extent of the exploitation remains to be fully determined, it has been ascertained that the widespread breach of MOVEit file transfer servers has impacted a minimum of 60 million individuals. (Source)
FACT #4: The Method used for MOVEit Data Breach
A detected vulnerability within MOVEit permits unauthorised entities to exfiltrate files from organisations via SQL injection on externally-facing servers. These illicit transfers are conducted using a bespoke web shell, termed ‘LemurLoot’. Camouflaged as legitimate ASP.NET files utilised by MOVEit, LemurLoot has the capability to extract Microsoft Azure Storage Blob data.
FACT #5: The response of MOVEit team
Leading professionals within the cyber industry have commended the MOVEit team for their exemplary response to the incident. Their prompt provision of patches, coupled with consistent and insightful advisories, has facilitated swift remediation.(Source)
FACT #6: Cybersecurity is overlooked
A significant number of breaches can be attributed to the fact that many organisations, both at the managerial and employee levels, do not prioritise cybersecurity. Frequently, individuals have an expansive range of responsibilities, and businesses tend to concentrate more on investment planning, fee structures, and daily operational administration.
WHAT THE MOVEIT DATA BREACH IS
The MOVEit Data Breach refers to a cybersecurity incident in 2023 wherein malicious actors exploited a previously unidentified SQL injection vulnerability within Progress Software’s managed file transfer solution, MOVEit Transfer. This breach allowed unauthorised access to sensitive data, underscoring the importance of robust cybersecurity measures and prompt vulnerability remediation within UK digital infrastructures. So far it is considered to be the most significant hack of 2023.
How Did the MOVEit Breach Occur?
The breach associated with MOVEit stems from a vulnerability within the MOVEit file transfer application by Progress Software, a solution leveraged by numerous global organisations. Consequently, several entities that integrate the MOVEit application within their supply chains have experienced data compromises, leading to the potential extraction of customer and/or employee data. Presently, the NCSC is collaborating with UK-based organisations to comprehend and address this incident.(Source)
As mentioned above, the breach was orchestrated by a Russian ransomware group named CL0P, who exploited a previously unidentified SQL injection vulnerability (CVE-2023-34362) in MOVEit Transfer. This vulnerability enabled the attackers to manipulate the software’s database by introducing malicious SQL statements. Subsequent to exploiting this flaw, CL0P infected internet-facing MOVEit Transfer web applications with a malware named LEMURLOOT, granting them access to extract sensitive data from MOVEit databases. Although Progress Software swiftly released a patch to address the vulnerability, some organisations remain compromised, having not applied the corrective measure. This breach underscores the critical importance of timely patching and reinforces the perils of SQL injection attacks, which can compromise data confidentiality, integrity, authentication, and authorisation.
How an SQLi might occur as part of a supply chain attack
| SQL Injection in Supply Chain Attack | |
|---|---|
| Step | Description |
| 1. Target Identification | Threat actor identifies a third-party component or vendor in the software’s supply chain that is vulnerable to SQLi. |
| 2. Exploitation | The attacker crafts malicious SQL code and injects it into the vulnerable component, taking advantage of poor input validation. |
| 3. Gain Access | Through the successful SQLi, the attacker gains unauthorized access to the underlying database or system. |
| 4. Lateral Movement | Using the exploited component as a foothold, the attacker attempts to access other parts of the software system or network. |
| 5. Achieve Objective | The attacker extracts, modifies, or deletes data, installs malware, or establishes a persistent backdoor for future exploits. |
What Are The Consequences of MOVEit Breach?
he ramifications of the MOVEit breach are gravely significant. The health data in question spans from January 2010 to May 2023. Preliminary research suggests that both the number of presumed attacks and the aggregate count of individuals whose data has been compromised greatly surpass initial revelations(Source). Current assessments indicate that the widespread exploitation of MOVEit file transfer servers has impacted a minimum of 60 million individuals(Source).
HOW MANY COMPANIES WERE AFFECTED SO FAR?
As Cybersecurity Insiders report so far more than 75+ companies and 900+ schools were affected by the MOVEit vulnerability:
| Impacted Companies and Schools | |
|---|---|
| Impacted Companies | Impacted Schools, Colleges and Universities |
| The US Department of Energy, | ACADEMY OF ART UNIVERSITY |
| Shell company, | ACCESSLEX INSTITUTE |
| First National Bankers Bank | ADAMS STATE UNIVERSITY |
| Putnam Investments | ADELPHI UNIVERSITY |
| Datasite | ADVANCED TECHNOLOGY INSTITUTE |
| Swizz Insurance company ‘OKK’ | ALAMANCE COMMUNITY COLLEGE |
| Leggett & Platt | ALBERTUS MAGNUS COLLEGE |
| Multinational firm PricewaterhouseCoppers(Pwc) | ALFRED UNIVERSITY |
| Ernst & Young | ALICE LLOYD COLLEGE |
| Health Services Ireland | ALLEN COUNTY COMMUNITY COLLEGE |
| BBC | ALLEN HIGH SCHOOL |
| British Airways | ALLIANT INTERNATIONAL UNIVERSITY |
| Boots Retail | AMERICAN CAREER COLLEGE |
Full list here: Source
What Are the Essential Measures UK SMEs Should Take in Response to the MOVEit Breach?
In the wake of the MOVEit breach, it is imperative for businesses to act swiftly in fortifying their data security measures. I recommend the following steps for UK SMEs:
Routine Vulnerability Audits and Efficient Patch Management:
▶Rationale: The breach at MOVEit was instigated by an SQL injection vulnerability, and, notably, certain users were left exposed even post the issuance of the patch due to a lag in system updates.
▶Recommendation: Conduct consistent vulnerability assessments across all digital systems and software. Upon the release of patches or system updates, ensure their swift deployment, prioritising those of utmost criticality, especially if they relate to external systems.
Enhanced Surveillance of Web-Based Applications:
▶Rationale: MOVEit’s web applications, accessible via the internet, were the primary points of attack.
▶Recommendation: Implement advanced monitoring solutions, such as intrusion detection systems (IDS) and web application firewalls (WAF). This ensures potential malicious activities on web-based applications are flagged and countered. Furthermore, meticulous log analysis can help identify any abnormal or unauthorised undertakings.
Adoption of the Least Privilege Principle & Network Segmentation:
▶Rationale: The attackers, post exploiting MOVEit’s vulnerability, managed to access and perhaps traverse across underlying databases.
▶Recommendation: Guarantee that systems and end-users are granted only the minimal essential permissions. Implement network segmentation to isolate sensitive data, thus reducing the potential of a domino effect during a security compromise.
Robust Third-Party Risk Management:
▶Rationale: The onset of the compromise was through MOVEit software, a third-party solution.
▶Recommendation: Diligently assess the security credentials of all third-party providers and their software. This encompasses regular security audits, ensuring their alignment with your organisation’s cybersecurity benchmarks, and comprehending the ramifications of potential vulnerabilities within your operational environment.
Proactive Incident Response & Threat Intelligence:
▶Rationale: The MOVEit incident accentuated the necessity of advanced threat intelligence coupled with a clear patching strategy.
▶Recommendation: Maintain an up-to-date incident response blueprint. Integrate threat intelligence updates with your cybersecurity protocols to preemptively counter emerging threats, ensuring swift detection, containment, and recovery during potential incidents.
Supplementing these measures, it’s vital to invest in continuous employee training programmes focused on enhancing cybersecurity awareness, which should encompass the identification of threats and potential phishing endeavours. As technological landscapes and malicious tactics evolve, adopting a proactive and vigilant approach remains the cornerstone of resilient cybersecurity.
Conclusion: GUARD YOUR BRAND AGAINST SUPPLY CHAIN ATTACKS
The MOVEit breach is a serious concern for businesses and governments alike. It highlights the importance of cybersecurity and the need for businesses to take proactive measures to protect their data. We have compiled essential cybersecurity guidelines appropriate for startups and established businesses.
GET A QUOTE WITHIN 48 HOURS
At TWC IT Solutions Our mission is to empower your business with stable and robust Cyber security solutions that ensure resilience in today’s ever-changing landscape.
Contact TWC IT Solutions and our dedicated team will address your inquiries and requests, ensuring that you receive the assistance you seek within 48 hours.
IT Awards and Distinctions
Nine distinctions in two years.
USA SUPPORT OFFICES:
Los Angeles
New Jersey
ASIA SUPPORT OFFICE:
Hong Kong, China
MIDDLE EAST SUPPORT OFFICE:
Dubai, UAE
UK HEAD OFFICE:
32-34 Station Close
Potters Bar
London
EN6 1TL
