Massive MOVEit Campaign Already Impacted at least 1,000 Organizations and 60 Million Individuals

Cyber Security Threat Summary:
Emsisoft released a report this week detailing the massive ransomware campaign carried out by the Cl0p ransomware group, which targeted the MOVEit Transfer file transfer platform. According to Emsisoft, “the attacks impacted approximately 1,000 Organizations and 60,144,069 individuals. The Cl0p ransomware gang exploited the zero-day vulnerability CVE-2023-34362 to hack the platforms used by organizations worldwide and steal their data.” The data for their findings were sourced from state breach notifications, SEC filings, and other public disclosures, and the leak site maintained by the Cl0p group.

The researchers reported that the attacks impacted tens of millions of individuals.

Security Officer Comments:
“U.S.-based organizations account for 83.9 percent of known victims, Germany-based 3.6 percent, Canada-based 2.6 percent, and U.K.-based 2.1 percent.” reads the report published by Emsisoft. “The most heavily impacted sectors are finance and professional services and education, which account for 24.3 percent and 26.0 percent of incidents respectively.”

While the true cost of the MOVEit security breaches are impossible to accurately calculate, using data from IBM’s “Cost of Data Breach Report 2023,” Emsisoft found that the total cost would be around $10 billion dollars. The report shows that data breaches cost an average of $165 USD per record, while the number of individuals impacted by the MOVEit campaign is 60,144,069 Emsisoft does note that only a minority of victims have so far reported the number of individuals impacted. If the same average number of individuals is confirmed to have been impacted for each of the remaining known incidents, the total cost of this campaign will reach $63,896,282,853.

“The MOVEit incident highlights the challenges organizations face in securing their data. It’s not only their own security they need to be concerned about, it’s their supply chains too. Complicating matters further is the fact that attacks which leverage zero-day vulnerabilities, as this one did, are extremely hard to defend against.” concludes the report. “The incident will undoubtedly be extremely costly. Beyond remediation, organizations and their insurers will need to provide credit monitoring to individuals and will undoubtedly face multiple lawsuits” (Emsisoft, 2023). Cl0p is believed to have generated between $75 and $100 million dollars from ransomware payouts making it the most significant cyberattack of all time.

Suggested Correction(s):
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.

Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.

Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?

Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.

Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.

Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.