Introduction
We all know the song “I Like to Move It, Move It”, but that isn’t the “Move It” we are talking about today. Today’s breach of choice is the infamous MOVEit breach, which unfortunately has everyone from big corporations to government agencies scrambling. This is Vorlon’s Bite Sized Breaches, and we invite you to join us today as we break down the MOVEit breach thus far.
The Scoop on the Breach
Alright, let's start from the top. On June 1, 2023, Progress Software rang the alarm bell over a troublesome SQL injection vulnerability in MOVEit Transfer. This handy piece of software is a Managed File Transfer (MFT) tool, used by businesses to transfer sensitive data safely between different systems. But this vulnerability, tagged as CVE-2023-34362, threw the word "safely" out the window.
Why MFTs are a Tasty Target for Hackers
You might be wondering, why would anyone target such a specific type of software? Well, let me break it down for you. MFTs are essentially corporate versions of the file-sharing programs we all use, like Dropbox or WeTransfer. But these programs are on steroids - they automate data movement, transfer documents on a large scale, and let you control who sees what. And the best (or worst) part? They often face the open internet and are packed with data. For cybercriminals, hacking an MFT program is like hitting the jackpot - all the data is right there for the taking.
The Damage Done: Who's Been Hit?
This wasn't a small-scale breach. We're talking a long list of victims, from airlines and universities to the Department of Energy, who confirmed that their information was part of the data breach. About a dozen US agencies have active contracts with MOVEit. The culprits? A Russia-based ransomware gang called Clop.
Two states, Oregon and Louisiana, had to warn their residents that their identities were at risk after the cyberattack. If you live in Louisiana and have a state-issued driver’s license, ID, or car registration, your data was likely exposed. Over in Oregon, the Department of Transportation reported that attackers accessed the personal information of about 3.5 million people.
Remediation Steps: What Now?
If you think you’re affected, it’s time to roll up your sleeves and dive into damage control mode.
Personal Safety Measures
First off, if you're in Louisiana, follow the officials' advice and freeze your credit. Whether you're in Louisiana, Oregon, or elsewhere, keep an eye on your bank statements and credit reports for any unusual activity. Look out for any unusual activity - a penny more or less can be a sign of something fishy.
Technical Safety Measures
For the tech folks managing MOVEit Transfer, the Cybersecurity and Infrastructure Security Agency (CISA) urges you to review the MOVEit Transfer Advisory, follow the remediation steps, and apply the necessary updates. The advisory has several recommended remediation steps, including disabling HTTP and HTTPs traffic, reviewing and deleting unauthorized files and user accounts, and applying patches. In other words, patch up your software, pronto!
Monitoring Malicious Activity
The first part of remediation is to patch the vulnerability and close the door that allowed the breach. However, that's not the end of it. Just because you've patched the hole doesn't mean that the bad guys aren't still inside your network. It's crucial to actively hunt for any indicators of compromise (IOCs) that could suggest lingering malicious activity. This includes looking for unusual network traffic, strange behavior on your systems, and any unexplained changes in files or configurations.
In the context of MOVEit, consider performing a thorough review of any actions taken via the REST API, particularly if you notice unusual API calls or unexpected data transfers. Given the recent breach, suspicious activity could indicate that an attacker gained access and may still be operating within your system. In the wake of a breach like this, it’s possible that unauthorized parties may attempt to exploit the connections between your systems and these third party apps.
API keys are another vital area of concern. Keep an eye on the usage patterns of your API keys. Is there an uptick in usage? Are they being used to access data that is out of the ordinary? Are there authentication requests from unfamiliar locations or at odd times? These could be signs of an API key being exploited.
If you detect any unusual activity, it's crucial to act swiftly. Consider rotating API keys and resetting credentials, especially if there are clear signs of misuse. Remember, staying vigilant and proactive can help safeguard your systems and data in this critical period.
Bottom Line
The MOVEit breach is a stark reminder that cybersecurity is more important than ever. Keep your software updated, stay vigilant, and remember: in this digital age, everyone is a potential target. Stay safe out there!