Decoding the MOVEit Transfer Breach: Insights and Lessons for Enhanced Cybersecurity
August 2, 2023
What is MOVEit transfer?
MOVEit Transfer is a managed file transfer (MFT) software application used to transfer files securely between organizations, systems, and users. It encrypts data at rest and in motion and provides information technology (IT) security controls for sensitive business data.
The significance of the MOVEit transfer breach
3.5 million developers use MOVEit along with thousands of enterprises, including high-profile government agencies, big banks, and around 1,700 software companies. It is used by a variety of organizations, including government agencies, financial institutions, and health care organizations.
The rude awakening is that a secure software provider whose purpose is to ensure organizations’ data is protected and secure was the victim of this monumental breach.
The glaring takeaways:
- Even the most trusted organizations can be breached.
- Mitigating risk is essential in today’s rapidly innovating threat landscape.
Unveiling the cause of MOVEit breach
The MOVEIt Transfer breach, aka the “Accellion FTA breach” was caused by a zero-day vulnerability in the Accellion File Transfer Appliance (FTA) software. This vulnerability allowed attackers to gain unauthorized access to MOVEit servers, decrypt and exfiltrate stored files, and implant malicious code that is now being used to blackmail ransoms from its victims.
Decoding Zero-Day vulnerability
If you aren’t familiar, a zero-day vulnerability is a software vulnerability that is unknown to the software vendor or the vendor’s security team creating an opening for attackers to gain unauthorized access to a system or network. As long as it goes unknown, this entryway is open until a patch (or update) is available.
Specific vulnerabilities and their consequences
Specific vulnerabilities that were exploited included structured query language (SQL) injection, operating system (OS) command execution, and server-side request forgery.
The attackers were able to steal a variety of data from the MOVEit servers, for example:
- Personal information: Names, addresses, and Social Security numbers
- Financial information: Credit card numbers and bank account numbers
- Sensitive business information: Trade secrets and customer lists
The response to vulnerability
The vulnerability was first reported on June 1, 2023, by security researchers at Trustwave. Progress Software, the company that owns MOVEit, released a patch for the vulnerability on June 5, 2023. However, by that time, the attackers had already exploited the vulnerability to gain access to the MOVEit servers of several organizations.
Post-Breach actions and learnings
To their credit, MOVEit has taken steps to address the vulnerability that was exploited in the breach and they continue to improve the security of their software. But it may be too little, too late.
Organizations of any size and maturity can fall victim to a cyberattack. Here are some of the most important things you can do to avoid a similar type of breach or mitigate risk in case one occurs.
The importance of a secure SDLC
Your software development lifecycle (SDLC) should include lots of checks and balances to ensure that the code being pushed is as secure as possible. These checks should include code reviews, which can be both manual and automated and should never be completed by the person who wrote the code. Code scanning, both static and dynamic, should be completed for all production level code where possible.
Regular access audits are essential
Most organizations know that they should implement the principle of least privilege when creating user roles and responsibilities. This, however, can be hard to maintain where there are employees requesting access changes due to internal restructurings, new employees, and ad-hoc access needs. The fluid nature of privileges requires a strategic review of those privileges. Access audits of each application should be completed quarterly.
Being prepared: Incident response plan
In the event of an incident, it is incredibly important to not panic and know exactly what to do. Incident response plans should include a comprehensive list of roles and responsibilities including who should be leading the discussions, who should be taking notes, and who should be communicating internally and externally. Incident response runbooks are also incredibly helpful to prepare for specific incidents, such as ransomware, distributed denial-of-service (DDoS) attacks, or improper access. While plans are broad, the runbooks should list the specific systems and software affected by the incident and what tools should be used to investigate and communicate.
The role of cyber insurance
Cybersecurity insurance is integral to any organization. When an incident occurs, cybersecurity insurance can help cover any financial costs including remediation, legal assistance, investigators, and customer refunds or credits.
Improving employee education for better security and DevOps
An integral part of all organizations is employee security awareness. You’re only as strong as your weakest link. Short informational resources, along with quizzes and phishing simulations monthly, will ensure that employees will stay on top of different security threats and know when and how to report suspicious activity to your security team.
Many developers have never been trained in security practices, which results in security being an afterthought of the application rather than being baked in. Secure coding training is a helpful and interactive way to ensure that the developers are learning general best practices and can have security on their minds throughout the entire software development lifecycle.
Large scale breaches like MOVEit should remind every organization that full-scope security incorporates preventative and response-based measures, not one or the other.
Any organization can become the victim of a breach. Ensuring you can respond quickly and effectively by having agile security policies and procedures baked into your organizational workflows is of the utmost importance.
