Progress Software, the company behind the MOVEit software, released a service pack Friday addressing three vulnerabilities. And cyber experts say there are also specific ways that organizations can better prepare against such incidents in the future.
The MOVEit compromises’ wide-ranging impacts have affected several federal agencies and at least eight states. The effects continue spreading through the education sector, too. Recently disclosed victims include the National Student Clearinghouse — which works with thousands of high schools and districts and roughly 3,600 postsecondary institutions — and the Teachers Insurance and Annuity Association of America, per TechCrunch.
The CL0P ransomware group’s exploitations affected both victims that used the third-party file transfer tool and those whose vendors used the tool. All this underscores the need for stronger supply chain security and rethinking vendor relationships, experts said. The incident also points to a need for rapid-fire patching in the face of zero-day exploits and investing in resiliency and zero-trust measures.
NO MORE EASY TRUST FOR VENDORS
Local governments have increasingly turned to third parties to help them fill IT talent gaps, said Alan Shark. Shark is executive director of the Public Technology Institute (PTI), which provides local government technology professionals with support such as research, professional development, consulting and education. PTI’s annual national survey of cities and counties found more than 70 percent of respondents turning more heavily to managed service providers (MSPs), especially for cybersecurity.
But against this backdrop of outsourcing, the MOVEit compromise demonstrates that government must treat even well-known vendors as potential threat vectors. They cannot take it for granted that the companies are following cybersecurity best practices.
Governments “might have had a false sense of security until now,” if they assumed that contracting with well-named companies gives them “something to point to if something goes wrong,” Shark said. “That’s no longer adequate … We can no longer trust our vendors and our application providers.”
Shark says governments need to keep a closer eye on their vendors.
That could mean requiring the companies to self-certify that they’re meeting the highest cybersecurity standards. While such an approach relies on vendors’ honesty, governments could sue those that misrepresent themselves, are negligent or fail to live up to their contracts. Of course, a victorious lawsuit doesn’t reverse the damages of a cyber attack.
Another approach is to look to third parties that independently vet vendors. StateRAMP evaluates the cybersecurity of cloud vendors that sell to state and local government. The organization certifies those that meet certain standards, and it provides a list of authorized products that government procurement officials can peruse. Similarly, the Computing Technology Industry Association (CompTIA) — PTI’s former parent organization — recently beta launched its Cybersecurity Trustmark program. That initiative is aimed at certifying MSPs based on their compliance with widely accepted cybersecurity best practices.
Shark said procurement officials should prioritize selecting vendors that hold at least one of those certifications, even if doing so is more expensive. He also advised governments to invest in better systems for internal monitoring and consider hiring vendors to monitor and probe the security of other vendors’ systems and offerings.
Making these changes, however, won’t be easy.
“We have to change the way we act,” Shark said. “That's going to be more expensive for local governments.”
Ian Milligan-Pate is area vice president of state, local and education, at cloud security company Zscaler. He said that MOVEit has demonstrated how organization attack surfaces extend beyond their own employees and devices to also include any third-party software-as-a-service (SaaS) applications they’re running. Organizations often use hundreds — or even more than 1,000 — third-party SaaS applications, and trying to prevent any of them from having an exploitable vulnerability is an impossible ask.
Instead, organizations should work to minimize the damage that an attacker could wreak if they do get into the network. That means adopting zero-trust measures that can block an attacker from moving laterally across the network to access more applications and assets, Milligan-Pate said.
“We're already seeing that with some of the government and education customers that we work with, where, if anything, it's going to accelerate their adoption of zero trust,” he said. “You've got to be able to get to a place where you can eliminate lateral movement; you're never going to close all these vulnerabilities and risks around your entire third-party application stack.”
RESILIENCY PLANNING
Vendor diversity is also important.
Too often, organizations that shifted to remote or hybrid work came to rely heavily on just one or two providers for all their key digital services, said Lisa Forte, partner at cybersecurity training and consulting provider Red Goat Cyber Security. Such an approach means that a vast swath of organizations have “almost a single point of failure,” and cyber criminals can disrupt all of them by just taking down one supplier rather than having to hit each entity individually.
Cyber extortionists are increasingly setting sights on cloud storage providers, password managers and other players in the digital supply chain, she said. To respond, organizations need to not only emphasize cyber defenses but also response plans and resiliency measures.
Planning and practicing ways to react to possible cyber incidents prepares organizations to better resist extortionists’ demands should an attack occur. Organizations should be ready with plans for how to stay operational should they lose access to any of their critical business services or the systems underpinning them.
Take the unlikely — and hypothetical — example of Microsoft 365 going down, Forte said. That would leave organizations without access to services like Outlook email and Teams messaging, immobilizing communications if entities aren’t prepared. Resilience means working ahead of time to identify backup ways to maintain communications, even if it’s just switching over to WhatsApp or Signal, for example.
“I often say to clients that I work with, ‘If you had no IT whatsoever, what business functions could you do and how would you do them with no IT?’ And when you start looking at that, you think, ‘OK, I need to bake in some alternative options,’” Forte said.
DEFENSE IN THE AGE OF ZERO DAYS
Hacking group CL0P exploited a zero-day vulnerability to compromise MOVEit — something that underscores the importance of applying patches as soon as they become available, said Allan Liska, intelligence analyst at threat intelligence platform provider Recorded Future.
“You have to apply that patch right away,” Liska said. “You don't have that kind of freedom in these kinds of attacks to be able to test the patch and make sure everything works, and then [say,] ‘Our next maintenance window is next month, we'll go ahead and do it then.’”
Liska also says organizations can take steps to better thwart zero-day exploitations, even before patches become available.
Data exfiltration monitoring tools, for example, can detect large transfers of information out of the system and halt the activity, Liska said. Of course, while that defense helps in some situations, it’s insufficient in cases like MOVEit where the impacted software is intended to transfer data. Organizations then need to be able to distinguish between legitimate and illicit data transfers — and behavioral analytic tools can assist here. Such tools monitor the network flow of a system to detect and halt any unusual activity.
Applying these layers of defensive measures is a significant task, however, Liska admitted: “That’s really, really hard. … [and] you basically have to do that for every platform that you have that’s potentially touching the Internet.”
The latest victims aren’t the only ones who should draw lessons from the incident, Liska said. Ransomware actors with the means can purchase zero-day exploits and CL0P appears to be profiting richly from its MOVEit compromise, meaning it’ll have both incentive and resources for investing in more of these kinds of attacks.
Zero days in “widely deployed but little-known platforms” are unlikely to cost more than $100,000 and “as far as we can tell, CL0P’s made 100 times that, at least from this particular attack,” Liska said. “… If you weren't one of the victims here, you shouldn't be breathing a sigh of relief; you should be figuring out, ‘What platforms do we have that could likely be targeted by these groups and how can we better defend them?’”
