The mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals to date, but the numbers mask a more disastrous outcome that’s still unfolding.
The victim pool represents some of the most entrenched institutions in highly sensitive — and regulated — sectors, including healthcare, education, finance, insurance, government, pension funds and manufacturing.
The subsequent reach and potential exposure caused by the Clop ransomware group’s spree of attacks against these organizations is vast, and the number of downstream victims is not yet fully realized.
Colorado State University was hit six times, six different ways. The school’s third-party vendors — TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sunlife and The Hartford — all informed the school of data breaches linked to the MOVEit attacks.
Three of the big four accounting firms — Deloitte, Ernst & Young and PwC — have been hit too, putting the sensitive customer data they maintain at risk.
Government contractor Maximus reported one of the worst breaches tied to the MOVEit compromise, after the personally identifiable information of up to 11 million individuals was potentially exposed. The data of more than 600,000 Medicare beneficiaries was exposed as part of the Maximus breach.
The widespread attack against MOVEit and its customers was “highly creative, well-planned, organized by multiple groups and executed well since they were able to poach records at scale,” independent analyst Michael Diamond said via email.
“Without a doubt, they hit one of the juicy parts of the orchard from an information perspective that they’ll continue to monetize and use for attacks in the future,” Diamond said. “My impression is that this is only going to get worse over time.”
Diamond isn’t alone in forecasting the worst is yet to come.
“The scale of the attack and the high-profile victims make the MOVEit campaign arguably the most successful public extortion campaign we have seen to date,” Rick Holland, VP and CISO at Reliaquest, said via email.
The ultimate breadth of damage done may remain unknown but the sweeping impact of the attacks will eventually be measured in years, not months, Holland said.
Breaches beget breaches
The pool of victims continues to grow as the financially-motivated Clop lists more organizations on its leak site and enterprises trickle out attack disclosures.
“The number of breaches and magnitude of records exposed from this exploited vulnerability is massive and ongoing, which means many more breach notifications are forthcoming,” said Jess Burn, senior analyst at Forrester.
While global enterprises were hit at the outset, smaller organizations that lack the skills and resources to remediate the issue or meet Clop’s demands are now more likely to be impacted, according to Burn.
Things are bad now, even if the daily reports of damages caused by Clop wanes.
“From what we’ve already seen, this is about as bad as you can get,” Zane Bond, head of product at Keeper Security, said via email. “These attacks are targeting the systems organizations use to securely transport their most sensitive data including customer information, health information, PII and more.”
Zero days in the supply chain
The first sign of trouble surfaced more than two months ago. Clop’s mass exploitation of the zero-day vulnerability in MOVEit and spree of resulting attacks was swift.
“Clop isn't your run-of-the-mill opportunistic extortion group. The group is a sophisticated threat actor who leverages zero days with advanced capabilities,” Holland said.
The threat actor is responsible for two high profile supply-chain attacks this year, including a zero-day vulnerability in Fortra’s GoAnywhere file-transfer service the group exploited in March. Clop was also responsible for the zero-day exploit driven campaign against the Accellion file-transfer devices in 2020 and 2021.
Clop is running a playbook that works. Prior to this spree of attacks, the Cybersecurity and Infrastructure Security Agency and FBI estimated Clop had compromised more than 11,000 organizations since it first appeared in February 2019.
Other threat actors have initiated larger attacks that caused more damage, “but few succeed in attaining the crown jewels that adversaries are after so easily,” Bond said.
The financial impact of Clop’s campaign is already measured in the billions. Based on disclosures filed with state attorneys general and the Securities and Exchange Commission to date, and IBM’s estimated $165 per-record cost of a data breach, the cost of the MOVEit attacks has surpassed $6.5 billion, according to Emsisoft.
“These one-to-many attacks via widely used software like MOVEit are why government agencies like CISA are putting more pressure on tech companies to secure what they sell,” Burn said.
Secure-by-design and secure-by-default principles are a core tenet of the Biden administration’s national cybersecurity strategy unveiled in March. Efforts to shift greater responsibility on the technology sector are largely welcomed, but cybersecurity experts said the plan lacks teeth and isn’t likely to come quick or easy.
Cyber insurance carriers are also taking a closer look at clients’ technology stacks to assess coverage risks and potential claims liabilities.
Customers are a “critical third constituency” that need to put pressure on tech companies, Burn said. They can achieve this by digging into the security practices of their supply chain partners and key technology vendors, and demanding more transparency via a software bill of materials.
Risks and responsibilities
Risk lurks around every corner in the supply chain, but organizations can limit exposure by getting a handle on their technology stacks and expeditiously responding to compromises, cybersecurity experts said.
“At the end of the day, trusting a third-party with your data will always introduce risks,” Adrian Korn, senior manager of threat intelligence at Arctic Wolf Labs, said via email.
The vendors organizations partner with and their respective third-party suppliers, outsourced or otherwise, make defense all the more complex. But that doesn’t negate the varying levels of responsibility vendors have to provide secure software and services.
“Companies that are the custodians of critical information require a much higher bar for security and monitoring than other types of organizations,” Bond said.
Resilience against supply-chain attacks will become more challenging as organizations adopt more cloud-based services, Holland said.
“Clop's campaign illustrates the absolute fragility of the supply chain,” Holland said. “Organizations have a hard enough time securing their infrastructure.”