MOVEit's mass hack into its system will likely be remembered as one of the most damaging cyberattacks in history, and it is expected to make history.
An exploit in Progress Software's MOVEit managed file transfer service was exploited by hackers to gain access to customers' sensitive data through SQL commands injected into the system. The MOVEit service is used by thousands of organizations to secure the transfer of large amounts of sensitive files.
There was a zero-day vulnerability exploited in the attack, which meant Progress was not aware of the flaw and was not able to patch it in time, which essentially left Progress' customers without any defence from the attack.
There has been a public listing of alleged victims of the hacks started by the Russia-linked Clop ransomware group since June 14, the group that claimed responsibility for the hacks. Banks, hospitals, hotels, energy giants, and others are all included in the growing list of companies affected, part of a campaign being conducted in an attempt to pressure victims into paying ransom demands so that their information will not be breached online.
The company Clop announced in a blog post this week that it will release the "secrets and data" of all victims of MOVEit who refused to negotiate with Clop on August 15.
There had been similar hacks targeting the file-transfer tools of Fortra and Acellion earlier in the year as well; it was unlikely that this was Clop's first mass hack.
The latest Emsisoft statistics indicate that more than 40 million people have been affected by the MOVEit hack, according to Emsisoft's latest statistics. Since the hacks started almost a year ago, those numbers have continued to increase almost daily.
"Without being able to assess the depth and scope of the damage, at this point, there is no way to make an informed guess," Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch+. "We do not yet know how many organizations were affected and what data was compromised.”
There is no doubt that around a third of those known victims have been affected by third parties, and others are impacted by vendors, subcontractors, and other third parties. According to him, because of this complexity, it's very likely that some organizations that may have been affected aren't aware that they have been affected, and that's what makes it so irreparable.
While this hack had an unprecedented impact because of its scale, its methodology isn't new and there's nothing innovative about the way it was executed. In recent years, supply chain attacks have become more prevalent as a result of zero-day flaws being exploited by adversaries, and one exploit can potentially affect hundreds if not thousands, of customers due to the potential for the release of a zero-day vulnerability.
Taking action now to prevent the threat of a mass hack should be as critical for organizations as anything else they can do.
Recovering From the Disaster
When you have been the victim of a hack, it may seem like the damage has already been done and there is no way to recover from it. Even though it can take months or years to recover from an incident like this, and many organizations are likely to be affected by it, they need to act quickly to understand not only which type of data was compromised, but also their possible violations of compliance standards or laws governing data privacy.
Demands For Ransom
"Supply-chain attacks" are what is referred to as the hack in question.
Initially, the news was announced in November last year when Progress Software revealed hackers had managed to infiltrate its MOVEit Transfer tool using a backdoor.
In an attempt to gain access to the accounts of several companies, hackers exploited a security flaw in the software.
Even organizations that do not use MOVEit themselves are affected by third-party arrangements because they do not even use MOVEit themselves.
It has been understood by the company that uses Zellis that eight companies are affected, many of them airline companies such as British Airways and Aer Lingus, as well as retailers like Boots that use Zellis. It is thought that MOVEit is also used by a slew of other UK companies.
A hacker group linked to the ransomware group Clop has been blamed for the hack. It is believed to be based out of Russia, but the hackers could be anywhere.
As a consequence, they have threatened to publish data of companies that have not emailed them by Wednesday, which is the deadline for beginning negotiations.
As the BBC's chief cyber correspondent Joe Tidy pointed out, the group has a reputation for carrying out its threats, and organizations in the next few weeks may find their private information published on the gang's dark website.
The information told me that there is a high probability that if a victim does not appear on Clop's website then they may have signed up for a ransom payment by the group in which they may have secretly paid it, which can range from hundreds of thousands to millions of dollars.
The victims are always advised not to pay to prevent the growth of this criminal enterprise as paying can fuel the growth of this malicious enterprise, and there is no guarantee that the hackers will not use the data for a secondary attack.
When such a massive breach like MOVEit Mass Hack occurs, it is highly challenging to recover data from such an event, which requires meticulous efforts to identify the extent of the compromised data, and any potential compliance violations, as well as violations of local privacy laws.
Many articles warn that paying ransom demands is not a guarantee that a cybercriminal will not come after you in the future, and will not perpetuate the criminal enterprise.
MOVEit Mass Hack can be viewed as an example of a cautionary tale about the software sector that shouldn't be overlooked. A key aspect of this report is the emphasis it places on cybersecurity strategies and supply-chain vigilance so that the effects of cyber threats can be mitigated as quickly as possible.
