Progress Software’s file-transfer tool MOVEit recently experienced a massive exploitation. What does this mean for the users of the software and the service providers with clientele under this tool?
Today, Jason, Matt, and Steve walk through the incident and notification processes while advising of basic steps to be proactive against these types of attacks. The team emphasizes that these basic recommendations apply to those involved with the MOVEit vulnerability and those dealing with sensitive data transfers.
Progress Software’s file-transfer tool MOVEit recently experienced a massive exploitation. What does this mean for the users of the software and the service providers with clientele under this tool?
Today, Jason, Matt, and Steve walk through the incident and notification processes while advising of basic steps to be proactive against these types of attacks. The team emphasizes that these basic recommendations apply to those involved with the MOVEit vulnerability and those dealing with sensitive data transfers.
00:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl, Steven Maresca and Matt Fusaro.
Jason Pufahl 00:15
Welcome to CyberSound. I'm your host, Jason Pufahl, joined, as always, by Steve Maresca and Matt Fusaro. Hey guys. So, you know, today we're gonna spend some time on the MOVEit vulnerability. I mean I think we all discussed, it's impactful, obviously, probably because of the role that MOVEit plays in data transfer, and probably data access. But I mean, ultimately, it's pretty similar to sort of the common exploits that we see, software exploits, etc. You wanna, one of you want to take a stab at sort of describing a little bit about what this was though, in more specifics?
Matt Fusaro 00:20
Hey everyone.
Steven Maresca 00:21
Hey there. Sure. So you know, background, MOVEit, it's a tool from Progress Software, it's used for generally exchanging sensitive data between organizations, you know, service providers and generators to that data or something to that effect. In this particular case, they had a vulnerability in their web front end. That's the similarity with Exchange and a lot of other things. Yeah, it's an attack surface exposed to the world. Going through that vulnerability, you can get access to sensitive data. That's it in a nutshell, has a long tail of impacts for effect and what this means for companies that maybe use the service provider or use the software itself.
Matt Fusaro 01:34
Yeah, this goes back to a prediction we made, what, maybe a year and a half, two years ago, about more efficient vulnerabilities that are going to start being used. This is definitely an efficient one.
Steven Maresca 01:45
Yeah, and the vulnerability here was used by a ransomware gang that identifies itself as Clop. It's called a variety of other names.
Jason Pufahl 01:55
TA505, I mean, if somebody wants to Google it, right, that's one of them.
Steven Maresca 01:58
That's memorable.
Jason Pufahl 02:00
Yeah, really, really memorable.
Matt Fusaro 02:01
TA505, yeah or whatever company is given there into it, there you go.
Steven Maresca 02:04
But here's the thing. This is a gang that's been known to target systems like this. They were associated with a breach, or breaches targeting Accellion in 2020, another secure file transfer platform, so this is a pattern for them. It's paid off clearly in the past, and that's what it's doing again, today.
Matt Fusaro 02:26
Yeah, and they were also involved in the PaperCut Exploit in April of this year, 2023. And they do a lot of the same things that you'd see from you know, what we've seen, at least from all the ransomware gangs that try to gain a foothold, they're creating scheduled tasks for persistence, deploying command and control so that they can get in and out of their transfer data, whatever it is that they need to do for further exploitation or for the data exfiltration. Looking at local LSASS, so if you're not familiar with LSASS, that's where all the authentication information is saved on a machine. So they like interacting with that to get further credentials, move laterally. Truebot has been used a lot. Truebot is kind of like a Trojan, where they'll use that for, again, trying to find information about the network, pulling that stuff back, trying to find data that they're interested in.
Steven Maresca 03:20
Yeah, so ultimately, multiple facets to this. Let's look timeline, though. May 31 was when Progress actually let out their first public notice. It's definitely clear that some entities had some foreknowledge of that in a privileged kind of way. State's municipalities patched earlier than that timeframe, but it was after attacks were observed in the wild in the last week of May.
Jason Pufahl 03:48
So, I'll pause you there for a second, so there are patches available, so that the exploit is mitigated or what's the status for that?
Steven Maresca 03:57
Yeah, that's, there's some nuance here. The announcement on May 31, was consistent, or coincident with a patch. So folks who saw it then, patched, got up to speed, and were protected. However, two weeks later, two other vulnerabilities came into play. So this is multiple phases, you know, once it had additional eyes on it, obviously, they found some other flaws, very similar to the initial issue. So it's quite possible that there are orgs that patched initially, but have not yet patched to the latest and greatest version. So the main takeaway is to take a look, you may have some additional work to do and have continued exposure.
Matt Fusaro 04:37
And again, it reminds me of Exchange with, you know, how many patches did we have to go through to get to a point where everyone was kind of, kind of feeling safe with it? And I think a lot of the same mitigations are taking place, right? If it doesn't have to be public, don't let it be public. Find out your partner's IPs and you know, allow this that stuff instead of just letting it be out on the internet for anyone to connect to, right?
Steven Maresca 05:01
Right. There are lots of organizations that were entirely unimpacted, because they had taken that step ahead of time. As with anything that's exposed to the world, you know, act according to the potential of that system being compromised and what it might impact.
Jason Pufahl 05:19
And the criticality of the data. I mean, something like a file transfer tool like this, you know, it's designed to move, I mean, it doesn't have to be sensitive data, but it's designed to move data, it's really attractive for that reason, you really need to, you need to be more careful the way you protect it.
Matt Fusaro 05:32
What you're storing it to, make sure that you're not leaving data around in there, so that you've got years and years of data that's exposed, make sure that you've, you have some type of lifecycle management over that to kind of help reduce your exposure if something like this happens, right.
Jason Pufahl 05:47
Yeah, I mean, this seems like the perfect plug, as always, for the data inventory, and your privacy impact analysis and some of the things that you normally would do when determining how long to keep your data, right?
Steven Maresca 05:58
Which honestly, is a reasonable segue into what's happening now. What are the after effects of a vulnerability that occurred of this variety? We're seeing a large burst of notifications come from service providers that happen to use the MOVEit software from Progress. They're recognizing three weeks after the fact that they were in fact compromised in some capacity, they've done the analyses or are in process, and they're starting to let their their own customers know that they have had some data exfiltration occur. We know of some examples already, that are, that are already in the news, are going to be in the news. The National Student Clearinghouse is a really good example of that. You know, they deal with transcripts, applicants for colleges, information coming from high schools, things of that variety, The Hartford, insurance, TIAA, lots of financial data associated with some of these transfers. I fully expect to hear several healthcare systems being impacted as well. These are the sorts of tools that are used for cross organization data transfer of a sensitive nature. So, you know, if you're an attacker, this is kind of like a goldmine, therefore, expect to see some sort of notification from providers like that in the near term.
Matt Fusaro 07:24
Right. And, you know, correct me if I'm wrong, I think the this particular group that's doing this, they were not doing double extortion, right, they were just doing extortion on the data itself?
Steven Maresca 07:32
At least at this point, that appears to be the case. It's still evolving. It's, it's possible that in a month, that that may change.
Jason Pufahl 07:39
But I mean, that's one of the unique things here is, is, there wasn't a ransomware event, it really was a pure data theft and associated notification.
Matt Fusaro 07:48
We're seeing both.
Jason Pufahl 07:48
You are seeing both, okay.
Steven Maresca 07:49
Less, less of a encryption event there.
Jason Pufahl 07:54
Right, okay.
Steven Maresca 07:55
More of a theft and ransom.
Jason Pufahl 07:57
Yeah, that's fair. I mischaracterized. I meant encryption.
Steven Maresca 07:58
Yeah. So I mean, this group has been associated with ransomware, in some capacity in the past, it's just in this case, it wasn't necessary. They could achieve quite negative outcomes and, you know, demand a ransom merely by getting access to the data. Sort of a shortcut.
Jason Pufahl 08:15
Right. So I mean I think one of the things, we do a lot of work, particularly in that higher education space, and I think the National Student Clearinghouse was sort of an obvious thing for us to look at and start communicating to our clients. There hasn't been a lot of detail, I don't think from them in terms of what potentially what data was impacted, or what sort of what schools might have had data for their,
Steven Maresca 08:40
That's right. Yeah, I mean, at this point, they're still investigating, as is everyone else. And ultimately, they did commit to providing detail and impact to all of the affected institutions, and that's the case for everyone that's making a notice here. Some of them are further ahead than others. You know, some of the insurance providers already had that data. They're giving impact clarity, but others are still kind of putting their customers in a holding pattern. Here's what I would recommend in general if you get one of these notifications, number one, ask for a timeline for delivery of impact and scope of data, because frankly, if you're the recipient organization, you don't have access to clarity on that regard. You may know what data goes back and forth, but not what the provider actually had leak. Additionally, examine who is contractually obligated to produce some sort of a notification in terms of communication efforts. Sometimes it's the service provider, sometimes it's the affected institution. So it's, it's muddied, but it's something that needs to be discussed and carefully managed. Because really, if you are the recipient of this sort of notice, you want to be in fairly close control over the language that reaches your own customers. constituents, clientele, what have you.
Jason Pufahl 10:03
So wait for more information, patch to the most current software version, and let it play out a little bit.
Matt Fusaro 10:13
Yeah. And take some of the mitigating factors as well into account of making sure you're doing the hunt on your network for the, there's a lot of indicators of compromise that have been put out there, you know, Microsoft, Mandiant, pretty much any security company at this point has a list of IOCs that you can go take a look at. So start doing your hunting, keep it off of public network if you can, VLAN your deployment, make sure that that is the only place that can get compromised if it is, right. So it's not spreading to other parts of your systems. Yeah, and then that it's a lot of the other basics that we talk about all the time.
Steven Maresca 10:54
And of course, if you have something other than MOVEit, these recommendations still apply.
Matt Fusaro 10:59
Exactly.
Steven Maresca 10:59
Yeah, of course, right.
Matt Fusaro 11:00
Any web app.
Steven Maresca 11:01
Absolutely. But especially those that transfer sensitive data. To reiterate Matt's point earlier, delete data that's stale. There's no need for information to stay resident in systems of this variety unless they're needed to go back and forth. Simply removing information not necessary, closes a window for an attacker and keeps the scope, at least to some degree, constraint. And know that entities of this nature, threat actors, are explicitly targeting sensitive data transfer tools. So you know, analyze what you have, reduce the attack surface, and try to defend yourself.
Jason Pufahl 11:38
Well, you know, Google, Google MOVEit, there's tons of information out there. All the things we described are relevant, we're always happy to talk about any of those. But guys, thanks for, you know, spending a little bit of time on this. It's certainly emergent news here, and something that a lot organizations have to follow. So hopefully, everybody got some, some value out of this, has a slightly better understanding. We appreciate as always, everybody listening, thank you.
12:06
We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.