Beenu Arora is the CEO of Cyble Inc, a threat intelligence provider that helps enterprises protect themselves from cybercrimes.
What are the similarities between the BBC, Shell, Radisson Hotels Americas and Johns Hopkins University? They all were victims of Cl0p ransomware, which used the MOVEit Transfer vulnerability to snare their systems.
MOVEit Transfer, a managed file transfer (MFT) solution, is trusted by organizations worldwide for secure data transfers. Naturally, a vulnerability alert on MOVEit Transfer was all that was needed for threat actors to go after the users and, thereby, the personal information of millions of individuals.
Vulnerability Management: Case In Point
Let’s dive into recent findings and incidents related to MOVEit vulnerabilities.
The notorious Cl0p ransomware group has been at the forefront of these attacks, targeting organizations worldwide. Along with the other ones already mentioned, American online payroll and human resource technology provider Paycom, global automotive component manufacturer Motherson Group, and U.S.-based software company Aspen Technology are the latest to join the list.
U.K.-based payroll services provider Zellis was one of the earliest victims of Cl0p. Like dominoes, its high-profile clients—including British Airways, the BBC, and U.K. pharmacy chain Boots—had their data compromised.
The impact of these attacks— which is still unraveling—is alarming, with a growing number of organizations falling victim to the vulnerabilities in MOVEit Transfer. These cyberattacks have extended beyond private companies, with U.S. federal agencies such as the Department of Energy also being affected.
The More Victims, The Better
Our company has traced over 300 organizations that have been targeted by these attacks. Based on our assessment, a staggering total of over 18 million individuals have been affected at the time of writing. Surprisingly, educational institutions—including some of the world’s top universities—form about 10% of the list.
So, what makes educational institutions an attractive target for cybercriminals?
First, they possess a wealth of valuable data, including the personally identifiable information (PII) of students, faculty, and staff, financial information, research data, and intellectual property. This data is highly sought after by cybercriminals looking to profit from identity theft, financial fraud or the sale of sensitive information on the dark web.
One Patch Is Not Enough
To add to the growing concern, MOVEit Transfer has been found to have additional vulnerabilities.
Progress Software, the developer of MOVEit, disclosed three new vulnerabilities in the software in July. These vulnerabilities, including the critical SQL injection flaw that plagued firms worldwide, can enable unauthorized access to the database and compromise sensitive information.
As these vulnerabilities continue to emerge, it becomes increasingly crucial for organizations to stay vigilant and take immediate action to protect their data. But do organizations really care about vulnerability management? Sadly, it would seem the answer is no.
In September 2022, Microsoft identified the bug CVE-2022-37958 and released a patch, initially believing it only had the potential to expose sensitive information. However, in December, IBM security researcher Valentina Palmiotti discovered that CVE-2022-37958 could enable remote code execution (RCE). In response, Microsoft reevaluated the bug during the December 2022 Patch Tuesday update and reclassified it as an RCE vulnerability instead of an Information Disclosure issue.
In its December alert, Microsoft explicitly mentioned that the bug patched in September could still spread itself. However, a survey conducted by The Cyber Express at the beginning of 2023 among its registered readers revealed that many were unaware of the bug. Among 32 CISO leaders from various organizations and regions who participated in a random survey, only 17% took action to apply the patch, and that too after receiving the December alert. Shockingly, 43% have yet to ensure that their systems are fully updated.
A few respondents even questioned the purpose of the survey, expressing confusion about the need for urgency in addressing the bug.
In other words, what’s the big deal?
Be Proactive, Not Reactive, In Patch Management
Patching after a vulnerability was found to be exploited is like changing the locks of a bank that has been robbed already.
In light of these vulnerabilities and cyberattacks, what can organizations and individuals do to safeguard their data? Here are some key steps to consider:
• Update security measures. Ensure you have installed the latest security patches and updates for all your software and systems, including MOVEit Transfer. Regularly check for software updates and implement them promptly to address known vulnerabilities.
• Enhance cybersecurity awareness. Educate yourself and your team about cybersecurity best practices, such as identifying phishing emails, avoiding suspicious links and attachments, and using strong, unique passwords.
• Implement multifactor authentication (MFA). Enable MFA wherever possible to add an extra layer of security to your accounts.
• Employ robust endpoint protection. Install reputable antivirus and anti-malware software on all devices to detect and block potential threats. Regularly update these security solutions to stay protected against the latest threats.
• Conduct regular data backups. Regularly back up your critical data to secure off-site locations or cloud-based services.
• Monitor your network. Implement robust network monitoring tools and systems to detect any suspicious activities or potential breaches.
• Collaborate with cybersecurity experts. Consider partnering with cybersecurity firms or experts who can provide specialized services such as vulnerability alerts, bug assessments, penetration testing and incident response planning.
The recent MOVEit Transfer vulnerabilities underscore a disturbing reality: No organization, regardless of its size, industry or the criticality of the data it holds, is impervious to the threat of cyberattacks.
In essence, the cybersecurity landscape is a battlefield that requires constant vigilance, investment and adaptation. The costs of ignoring this reality are too high, and the MOVEit vulnerabilities are a stark reminder. The cavalier attitude of “What’s the big deal?” is a ticking time bomb in the world of cybersecurity. Unless addressed swiftly and decisively, it could potentially lead to catastrophic consequences.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here