The Lesson From the MOVEit Hack

For those who have not heard about the problem that MOVEit is having, here is the elevator pitch version.

Progress Software makes MOVEit, which is a high volume file transfer application that big companies, governments and other companies use to transfer files both inside their organization and with partner companies. First one bug was found, which hackers exploited very effectively, then two and then three. Possibly more to come. Russia is the likely hacking culprit.

So who was hacked as a result? Thousands of companies, but here are some that have been publicly admitting it:

The Department of Energy’s Oak Ridge National Labs Associated Universities (Oak Ridge was part of the Manhattan Project in World War II – the home of the atomic bomb). Today they do all sorts of classified and unclassified energy research.
DoE’s Waste Isolation Pilot Plant near Carlsbad, NM
Gen (owner of Norton, Lifelock, Avast, Avira, AVG, Reputation Defender and CCleaner)
Vancouver Metro Transit Police
University of Missouri
Shell
British Airways
Health First Colorado and the Child Health Plan Plus (CHP+)
US Department of Agriculture
BBC
State agencies in Illinois, Missouri, Minnesota, Oregon and Louisiana
Ernst & Young and Price, Waterhouse, Coopers accounting firms
And many, many more.

You get the idea.

The hacks started a while back, so what did everyone do wrong?

Here are just a few things:

Did all of these organizations know or were immediately able to find out IF they were using MOVEit, WHERE they were using MOVEit and What DATA was stored in it. This is a combination of having an effective software inventory process, Software Bill of Materials process and data inventory process. My suspicion is most of the victims failed here.
Were these companies alerted to the vulnerability and the exploit quickly enough? Huntress, the security firm, released detection rules in the YARA language on June 1st. For free. How many organizations (a) knew that on June 1 and (b) integrated the YARA rules into their Security Information and Event Management (SIEM) solution that day? How many organizations have a SIEM. While the list above is made up of 800 pound gorillas, there are likely a bunch of much smaller organizations that use the software, were infected and maybe don’t even know it yet.
How many organizations took the affected systems offline once the vulnerability was announced. It can take as little as 3-6 hours to weaponize an exploit for high value targets. Almost everyone above would be considered a high value target.
how many organizations invoked their incident response plan when Huntress and others announced this vulnerability? The challenge is that vulnerabilities are discovered every day. How do you effectively triage them to understand the risk to the organization?
How many organizations were able to detect the theft (in the industry called exfiltration) of large amounts of data to unusual places (like Russia or Russia controlled proxies?
How many organizations quickly deployed the first MOVEit patch. Patch time should be correlated to (a) the sensitivity of the data stored on the system and (b) the risk to the organization of that data being stolen?
How many organizations continued to watch the mess unfold?
How many organizations took their systems offline when the second bug was announced? Or the third?

The best way to avoid being the next victim is by learning from other people’s mistakes.

If this raises concerns, please contact us.

Credit: Metacurity, The Record, Huntress,