One of the most significant data breaches of 2023, MOVEit, has largely escaped the public’s attention yet has affected numerous organizations worldwide. MOVEit is a file-transfer application created by Progress Software used by organizations across various sectors, including financial services, education, and government. Its primary function is to facilitate the secure transfer of large batches of sensitive data.
While this can be a scary incident to experience, it also presents an opportunity to learn. By understanding the vulnerability in systems that caused this breach, you can better prepare against similar attacks in the future. We’ll look at what happened during this particular event and how we can apply those lessons in the future.
On May 31, 2023, a critical vulnerability was discovered that allowed hackers to gain unauthorized access to confidential information stored in Sovos’ MOVEit environment. The breach was facilitated through a custom web shell identified as LemurLoot. Disguised as ASP.NET files used legitimately by MOVEit, LemurLoot was able to steal Microsoft Azure Storage Blob information. Microsoft Azure Storage Blob is a cloud-based solution providing secure and reliable storage for large unstructured data files.
The impact of the MOVEit breach has been far-reaching and devastating. It has affected numerous companies and millions of individuals worldwide. Here are some examples:
- Sovos Compliance LLC: The breach resulted in an unauthorized party accessing consumers' sensitive information, which includes their names and Social Security numbers. The affected companies include UBS Financial Services Inc., Atlantic Shareholder Services, Patelco Credit Union, Bangor Savings Bank, Pan-American Life Insurance Group Inc., and Celink.
- National Student Clearinghouse: The breach impacted 890 schools using its services across the United States. The Cl0p ransomware gang gained access to its MOVEit server and stole files containing personally identifiable information.
- Financial Institution Service Corporation (FISC) and Johnson Financial Group (JFG): The MOVEit breach impacted the sensitive data of over one million individuals. FISC reported that the attack impacted 753,261 individuals, while JFG added another 93,093 victims.
- Radisson: Guest data from its Radisson Hotels Americas chain was compromised as part of the massive MOVEit file transfer system hack carried out by the Cl0p ransom gang.
- 1st Source Bank: A security breach involving MOVEit has impacted about 450,000 records. An unauthorized third party gained access to sensitive client data of commercial and individual clients.
- BORN Ontario: The breach affected some 3.4 million people seeking pregnancy care, including the personal health data of nearly two million newborns and children across the Canadian province.
- Barrick Gold Corp: The Clop/Cl0p ransomware and data theft gang listed Barrick Gold Corp. among the companies it hit.
- Jones Lang LaSalle: All employee data, excluding Social Security numbers, had been compromised, affecting all the organization’s 43,000 employees.
Why Isn’t This Making Headlines?
Why such a significant data breach isn’t making more headlines is puzzling. Perhaps it’s because the victims are so diverse - from financial institutions to universities to hotel chains - that no single sector feels the full brunt of the impact. Or maybe it’s because we’ve become desensitized to data breaches.
Whatever the reason, we mustn’t let this breach fade into obscurity. We must learn from it and take steps to prevent similar incidents.
How to Prevent Similar Breaches
Preventing similar breaches requires a multi-faceted approach:
- Patching: Progress patched the vulnerability shortly after evidence of the attack surfaced. However, some users continue to be attacked because they haven’t installed the patch on their networks. This underlines the importance of a well-defined patching strategy.
- Inventory Management: Inventorying assets and data is crucial in identifying authorized and unauthorized devices.
- Port Management: If you have any MOVEit servers, immediately close Ports 80/443, plus any additional ports facing the public internet on which the services may be running.
- Update Vulnerable Instances: Make sure all vulnerable instances of MOVEit are removed from public internet access until they are updated with security patches.
- Threat Intelligence: This involves staying informed about potential threats and vulnerabilities affecting your organization’s systems.
The Importance of Third-Party Risk
This incident underscores the importance of third-party risk management. Many organizations rely on third-party vendors like MOVEit for critical operations. However, these relationships can expose organizations to additional risks if those vendors suffer a security incident.
Therefore, organizations must conduct thorough due diligence when selecting vendors and implement robust monitoring systems to detect anomalies or breaches promptly.
Alternatives to MOVEit
Alternatively, you might be considering alternatives to MOVEit for your file transfer needs:
- Microsoft SharePoint: SharePoint is an intranet solution that enables users to share and manage content, knowledge, and applications to empower teamwork, quickly find information, and collaborate across the organization. It’s rated higher than MOVEit and offers more features.
- Microsoft OneDrive: OneDrive is a file hosting and synchronization service operated by Microsoft. It’s rated higher than MOVEit3.
- Microsoft Teams: While not a direct alternative for file transfer, Teams can securely share files within a team or organization. It’s primarily a platform that combines workplace chat, meetings, notes, and attachments.
Each tool has strengths and weaknesses; the best choice depends on your specific needs and circumstances. Always consider factors such as the sensitivity of the data you’re transferring, compliance requirements, and the IT infrastructure of your organization when choosing a file transfer solution.
In conclusion, the MOVEit data breach should warn of the consequences of inadequate security measures. Businesses must think critically about the risks associated with their services and take proactive countermeasures, such as patching and threat monitoring. If you need help understanding the risks involved in using different platforms or want to ensure your company’s security measures are up to par, don’t hesitate to contact us and have an expert guide you. Prevention is better than repair– protecting your business from cyberattacks starts with a proper risk assessment.