The CL0P Ransomware gang has been identified in exploiting a vulnerability in MOVEit File transfer software from publisher Progress Software. The CISA joint advisory brief can be read in its entirety here and has great research, resources and assistance information.
To address the issue at hand:
Organizations can take steps to mitigate software supply chain risks and minimize the potential for data loss and other serious consequences. The following Tactical Recommendations can be implemented:
The recent vulnerabilities in MOVEit highlight the importance of third-party security testing and code reviews to identify serious vulnerabilities that may go unnoticed in internal security testing.
Strive for greater software transparency. Software producers are expected to have a better understanding of the processes of how their software is developed, tested, and secured. This includes maintaining up-to-date information about the origins of software components, conduct testing and document outcomes and the risks mitigated during testing, and utilizing automated processes to ensure trusted software supply chains throughout the life cycle. Additionally, a Software Bill of Materials (SBOM) provides a framework for documenting and communicating the components of an application, reducing code obscurity, especially for third-party and open-source components.
Steps to follow for proactive monitoring in the aftermath of the MOVEit exploit.
The scale of the data access from the MOVEit exploit is still being assessed. We suggest the following additional steps for increased situational awareness.
In addition to increased vigilance on the software supply chain, adopt a continuous threat exposure management program: FortifyData recommends that security leaders implement tools and mechanisms that can share interoperable risk data set across attack surface management, vulnerability management, threat intelligence, third-party cyber risk management and quantification to reduce the aperture for exploit across their combined threat exposures.