Managing the aftermath of the MOVEit Vulnerability

The CL0P Ransomware gang has been identified in exploiting a vulnerability in MOVEit File transfer software from publisher Progress Software. The CISA joint advisory brief can be read in its entirety here and has great research, resources and assistance information.

To address the issue at hand:  

Organizations can take steps to mitigate software supply chain risks and minimize the potential for data loss and other serious consequences. The following Tactical Recommendations can be implemented: 

  1. During the dwell time between the identification of a vulnerability and the application of the security patch, organizations should implement the mitigations and stop-gap measures recommended by the software vendors. It is important to ensure that change control processes can support any emergency reviews and approvals of highly urgent changes. 
  2. Give priority to patching all systems and applications that are publicly accessible. 
  3. Maintain an active and thorough inventory of software used throughout the enterprise. This includes commercially developed applications running on-premises, in vendor-hosted environments, and those provided by Software-as-a-Service (SaaS) providers. Additionally, document all internally developed software and include information about the open-source and third-party components being used. 
  4. Begin a process to evaluate secure software development of vendors and initiate software bill of materials inclusion for full awareness of potential vulnerabilities in procured or open-source software.  
  5. For commercially supplied software, subscribe to security alerts from the suppliers/developers. Take immediate action when a new vulnerability is disclosed for a commercial product. 
  6. Stay informed about emerging software vulnerabilities in both commercial and open-source software by monitoring the top cyber threat intelligence (CTI) sources. 

The recent vulnerabilities in MOVEit highlight the importance of third-party security testing and code reviews to identify serious vulnerabilities that may go unnoticed in internal security testing. 

Strive for greater software transparency. Software producers are expected to have a better understanding of the processes of how their software is developed, tested, and secured. This includes maintaining up-to-date information about the origins of software components, conduct testing and document outcomes and the risks mitigated during testing, and utilizing automated processes to ensure trusted software supply chains throughout the life cycle. Additionally, a Software Bill of Materials (SBOM) provides a framework for documenting and communicating the components of an application, reducing code obscurity, especially for third-party and open-source components. 

Steps to follow for proactive monitoring in the aftermath of the MOVEit exploit. 

The scale of the data access from the MOVEit exploit is still being assessed. We suggest the following additional steps for increased situational awareness.  

  • Keep an eye on the Dark Web. It’s not impossible that login credentials may be swept up in some of the data access from the MOVEit exploit. Keeping an eye on any dark web postings with your company employee credentials or credentials of your vendor will help guard against unauthorized access from this vector.  
  • Increase focus on internal risks. As the MOVEit exploit is detected from monitoring or scanning of internal assets, put into place extra scans to keep an eye on any increasing or anomalous activity from internal activities, especially around SQL access.  
  • Review port management policies and practices. Like the review of patches for vulnerabilities, this is just as good a time to do a deep assessment of ports and the management around them. Determine if the appropriate inbound/outbound restrictions are in place with your ports.  
  • Prioritize SQL related risks for inspection and remediation of necessary.  
  • Third parties may be affected, which can in turn affect your organization. Quickly convene with your critical vendors and if necessary, issue a questionnaire for all other vendors related to MOVEit and Progress Software vulnerability exposure. Identifying vendors in your immediate ecosystem will let you know if you need to pay more attention to certain vendors over others to minimize the risk to you from them and their association to the MoveIT exploit.

In addition to increased vigilance on the software supply chain, adopt a continuous threat exposure management program: FortifyData recommends that security leaders implement tools and mechanisms that can share interoperable risk data set across attack surface management, vulnerability management, threat intelligence, third-party cyber risk management and quantification to reduce the aperture for exploit across their combined threat exposures.  

Related Posts