MOVEit Ransomware Breach: Third-Party Risk Management Next Steps

Multiple cyber hacking incidents have occurred by exploiting SQL injection vulnerabilities in Progress Software's MOVEit file transfer application, enabling hackers to access the server database. MOVEit is software designed to move sensitive files securely and is popular around the world.

There are likely to have been hundreds of organizations affected worldwide, with about 50 confirming the hack either directly or indirectly. Organizations affected include the BBC, British Airways, U.S.-based financial services firms, global cloud computing provider Extreme Networks, and others. In the coming days, many more MOVEit breach victims are expected to be identified.

According to the FBI and CISA (Cybersecurity and Infrastructure Security Agency) warnings last week, the CL0P ransomware gang, also known as Clop, exploited previously unknown MOVEIt vulnerabilities. A Reuters journalist and Bleeping Computer reporter were reportedly contacted Monday by representatives of the CL0P ransomware gang taking credit for the attacks. CL0P announced on Tuesday that it had exploited the MOVEit flaw to steal information from at least 47 organizations before demanding payment to prevent them from being published online in a rapid hacking spree. 

In the past, CL0P has demanded ransoms of up to millions of dollars. However, law enforcement agencies worldwide strongly advise organizations against paying them because it only further encourages criminals. It was reported on Wednesday that CL0P began posting the names of organizations on its darknet website. As of Thursday, there was still no conclusion to the incident as it was revealed that several U.S. government agencies, including the Department of Energy, had been affected. However, CISA has not provided specific information regarding which agencies were compromised.

How to Respond to the MOVEit Breach From a Third-Party Risk Management Perspective

The situation is still unfolding, and there's much we don't know. This includes which organizations have been affected and if sensitive data will actually be leaked by hackers. It's likely that your organization doesn't yet fully understand if they have been affected directly or indirectly through its vendors. What we do know, however, is that a passive "wait and see" approach is not very wise. 

Instead, you should take the following six steps in your third-party risk management program:

1. Collaborate with your organization's cybersecurity team. Ask for their guidance and teamwork as the situation progresses. For example, if new technical information regarding patching or other remediation methods is released, your cybersecurity team should help you craft communication or instructions for your vendors.
2. Determine which of your vendors use MOVEit. This can be accomplished by issuing a short questionnaire asking:
   
   • Does your organization use an affected version of MOVEit Transfer in your environment? IF YES:
     
     • Has your organization disabled traffic to your MOVEit Transfer environment as recommended?
     • Was your organization's instance of MOVEit improperly accessed due to these vulnerabilities?
     • Have you applied the most up-to-date patches provided by MOVEit?
     • Have you reviewed your audit logs for signs of unexpected or unusual file downloads?
     • What data is processed and stored in MOVEit in relation to our organization and customers?
     • Please include any official response or bulletin your company has released.
3. Check the vendor contract. Make sure to review your vendor’s contract for data breach notification requirements to ensure that your vendor is meeting their obligations. 
4. Notify any impacted customers. If you find that your customer's information was affected by the data breach, you'll want to limit the impact and protect your reputation. Make sure to follow your organization’s breach notification protocols and notify your customers quickly if their data was compromised. It's considered a best practice to offer them at least a year of free credit monitoring services.
5. Perform cybersecurity due diligence for similar vendors. If you have technology vendors that are similar to MOVEit and provide data storage/transfer services, remember to take a closer look at the following due diligence items:
   
   • Application penetration testing
   • Static and dynamic code analysis
   • Change management program
   • File integrity monitoring
   • Encryption at rest and in transit
6. Stay updated with the official information. The following links provide important technical details and updates from Progress Software:
   
   • Incident information
   • MOVEit Transfer and MOVEit Cloud vulnerabilities status
   • MOVEit Cloud Status

These days, cyber and ransomware attacks are more common than ever. It's always a matter of when, not if your organization will be affected by a cyberattack. In these situations, effective third-party risk management systems and routines can help you minimize fire drills. 

For example, comprehensive and up-to-date vendor inventories should include current contact data, as well as product or service information. Having that information at your fingertips will make it much easier to issue urgent communications or requests to your vendors in situations such as the MOVEit breach. 

If your vendor due diligence documentation is current and well organized, you can quickly narrow your requests for any additional vendor information that might be needed. This will be incredibly beneficial when you discover a need for off-cycle due diligence due to a cyberattack or another serious issue. 

While the MOVEit breach reminds us that there is never any shortage of urgent issues to address, having the right third-party risk management practices in place can help your organization respond to them in an effective and timely way.