MOVEit Cybersecurity Breach Signals Changing Landscape for Supply Chain Relationships & Third Party Risk Management

Hundreds of organizations across the globe are reconsidering and reevaluating their approach to third-party & supply chain related risk in the wake of a global cyber heist pulled off by an increasingly notorious ransomware gang. The data breach stems from MOVEit Transfer and MOVEit Cloud, a file transfer and cloud management software from developer Progress, who first reported the breach on May 31, though further investigation revealed that the file transfer hack began on the 27, and research suggests that the hacker group, labeled “Lace Tempest” by Microsoft Threat Intelligence, has been testing MOVEit’s systems as far back as 2021.

Zellis, a payroll and HR solutions provider in the UK, was among the very first of what has now become nearly a hundred organizations to have reported being affected by the MOVEit vulnerability. In its report, Zellis claims at least eight of their clients have had private data compromised, including two airlines, British Airways and Aer Lingus, as well as Boots Pharmacy and the BBC.

Government organizations across the globe have been breached as well, with reports coming from The Office of Communications (Ofcom) in the UK, Transport of London, the Illinois Department of Innovation & Technology, the Minnesota Department of Education, and the Provincial Government of Nova Scotia, mostly within their healthcare system. Others reporting to have been exploited by Lace Tempest include Ernst & Young, Extreme Networks, and the University of Rochester, making this not only a global cybersecurity breach, but one that spans across all industry and organizational types.

 This is far from the first attack by the Russian hacking group, who is linked to cl0p ransomware site, who publicly claimed not only this most recent exploit, but also that of PaperCut back in March, GoAnywhereMFT in January of this year, as well as Accellion FTA in December 2020 & January 2021. In fact, cl0p has been linked to vulnerabilities of about 3,000 US organizations and nearly 8,000 worldwide since their first being tracked. Due to its widespread affect, this most recent breach, which includes the initial vulnerability reported by Progress on May 31 and an additional vulnerability reported on June 9, has drawn the attention of numerous cybersecurity agencies and investigators.

While the number of organizations reporting third party security breaches remains relatively low, experts have estimated the number could end up being much higher as initial investigations seem to show that roughly 3,000 systems were exposed to the internet. One company, Censys, who tracks devices that connect to internet, reported on June 2 that as many as 3,800 MOVEit hosts were online. Their data showed that these were spread across at least a dozen countries, though primarily in the US, and also included nearly every industry, consistent with the diverse list of affected organizations.

A breach of this scale can create massive downstream third-party risk for organizations, that can also have cascading affects for individuals including employees and customers. This puts individuals at risk of data phishing, account logins being sold and identity theft; and puts corporations at risk of banking information being compromised, confidential corporate information being publicized and inevitably enormous exposure to liability. It is estimated now that millions of individuals have had their personal data & security violated in this attack alone, and as stated above, this is far from the only one, and not just by cl0p.

In the last month alone, Barracuda Networks reported a vulnerability in their systems, and though they have not disclosed the scale of the breach the Australian government has confirmed one of their departments was adversely affected; the US Department of Transportation reported a breach that compromised private information of both current and former employees; and newcomer cyber gang Rhysida has attacked US schools and the Martinique government. Cyber ratings platform Black Kite compiled their Third-Party Breach Report, which showed that in 2022, 63 third party breaches were found, which led to 298 cascading data breaches. Many experts also believe that this vulnerability could not only be more widespread, but that the nature of this breach could lead to further attacks, even by less skilled actors.

In a world where personal data security has been a hot topic with the growth of social media and third-party risk management (TPRM) being a vital part of safe and responsible business with the development of more complex third-party relationships in the increasingly global economy organizations operate within, the need for more secure cyber pathways is greater than ever. The interconnectivity that is inevitably coming to all industries brings along with its ease, speed and convenience, the increased risk of private information being put at risk. More than ever, it is time for ensuring that supply chain relationships are responsibly formed and managed, and effective and efficient TPRM solutions are chosen.

Those organizations whose data has been exploited by cl0p had been given until June 14 to begin negotiations with the hacker group, after which they would have three days to come to an agreement. If neither of these conditions are met the ransomware gang has stated they would begin making the stolen information public. Other organizations who were revealed to have received ransoms were Shell, PricewaterhouseCoopers, and the US Energy Department, despite the cybergang stating that government organizations would not be targeted. The National Cyber Security Centre (NCSC) in the UK as well as a collaboration of the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) of the US, who released a Joint Cybersecurity Advisory in response to this recent attack, have each been working with organizations in their respective countries to shore up their IT security, and have advised them to not comply with cl0p’s ransom demands or other ransomware efforts.