Cybercriminals are betting on companies to make the same cybersecurity mistakes over and over.
So far, it’s been a winning roll of the dice.
Case in point: earlier this summer, the Russian ransomware group Cl0p exploited a vulnerability in the popular MOVEit file transfer application to attack local governments, universities, and corporations.
It was another striking demonstration of a supply chain attack, also called a value-chain or third-party attack. Rather than hack a network directly, attackers can get into a network by first victimizing outside partners or suppliers that have access to an organization’s systems and infecting software they make. Cybercriminals can then surveil or exploit the data or systems of any clients deploying the compromised applications.
Data has become the lifeblood that organizations need to function. Interrupt that flow and organizations face existential risk. It’s why cybercriminals want to get their hands on data involving the organization, its intellectual property, business plans and strategies, employees, suppliers and most of all, customer data.
Cybercriminals derive the vast bulk of their profits from the exploitation, sale, and resale of data about individuals. They either commit fraud directly against targeted victims or use purloined personal information to conduct fraud against other organizations or individuals.
In addition, they make money from extortion, threatening to exploit stolen data or expose breaches publicly if victims refuse to pay a ransom.
So where was the data in this case? It was data-in-motion, moving between systems within organizations or between organizations in a supply chain providing services for one another.
More than 600 organizations and government agencies have since reported MOVEit hacks. This indirect approach victimized companies like the BBC and British Airways, which relied on a payroll provider that used MOVEit—just like thousands of other organizations around the world. Maximus, the first government contractor to report a breach in its computer systems linked to MOVEit, disclosed that between 8 million and 11 million people may have had their personal information exposed. The Cl0p cybercriminal group could make up to $100 million from victims paying sky high ransomware demands.
This also followed more well-known supply-chain incidents, such as the SolarWinds Orion and Log4Shell attacks. The discouraging news: the MOVEit compromise is not the last software supply-chain attack we’ll hear about. With enterprises ever more reliant on outside providers, software supply chain attacks have soared more than seven-fold between 2019 and 2022. By 2025, Gartner predicts that 45% of organizations will have suffered attacks on their software supply chains. So, what can security teams do to mitigate the risk? Let’s take a closer look.
The proliferation of supply-chain attacks underscores the problems defenders encounter trying to locate “blind spots'' in the systems that they and their partners use. That’s bad news because attackers are going to exploit any vulnerabilities to slip through company defenses.
Counter-defense plan
If the company has been impacted by the MOVEit attacks, CISOs can start a response by summoning a security threat assessment group (STAG) and hold regular meetings while a supply chain attack lasts. Think of this as akin to a war room to decide on next steps as the organization contends with the adversary and their impact. Successful STAG programs are built on three fundamental principles:
- STAG members must treat attendance and execution of any actions as their top priority.
- Nobody discusses incidents or decisions made outside of the STAG or its appointed sub-groups, such as a subgroup focused on the technical investigation, or a subgroup focused on data privacy and legal.
- All communications must be issued by the STAG.
The STAG must then quickly swing into action and find answers to basic questions about the nature of an attack.
- What cyberweapons are being deployed and what’s the status of exploit development?
- Is there information about indicators of compromise and tactics, techniques, and procedures that can shed light on the actors, their motives, or their objectives?
- What’s the status of patches or any other mitigations to remove exposure?
Circling the wagon
Once the team uncovers a MOVEit exploitation, the STAG should turn to the crisis plan that the organization has (hopefully) readied for this very day. The team will need to make a threat assessment and issue containment and response decisions – quickly. Here’s how to proceed:
- How long was the supply chain vulnerability open to potential exploitation? This will ensure the team gains a complete picture in case of an attack against your systems and data.
- Determine which data may have been affected and figure out the necessary response.
- Do any supply chain partners use MOVEit in the provision of services used?
- Mobilize predetermined teams in legal, communications, customer care, and, of course, security.
- Set up monitors in the environment to search for any indicators of malicious activities. Look beyond the network infrastructure to locate any parties that provide services that might be interconnected with the organization’s host.
- Ready initial communications updates to give stakeholders confidence that the team is involved and working through a plan to mitigate the impact.
- Reach out to national security authorities such as the National Counterintelligence and Security Center (NCSC) and the FBI if there’s evidence of a compromise. Report the breach and seek any relevant intelligence.
- Plan the forensic evidence gathering and patch/mitigation processes and determine the rollout timeline.
- Preserve all evidence for further review by the team and the relevant authorities.
Stay on top of the situation
Never assume that “no evidence of attack” means “evidence of no attack.” The team still needs to conduct proactive monitoring, threat hunting, and heightened awareness across all operations to check for the presence of any potential attackers. At the same time, contact supply chain partners to understand whether they have relevant information.
Hunt for attacker footprints for signs of potential trouble: bad actors often specialize in targeting certain industries or sectors or geographies. Scour the latest happenings in the to find evidence of supply chain attacks.
There’s no substitute for fresh intelligence to help eliminate blind spots in the organization’s threat environment. Deploy everything at the team’s disposal, from real-time monitoring across all security telemetry including cloud environments and the supply chain, to threat intelligence correlation, security analytics, and incident response automation. If the team doesn’t have those capabilities, it will be at the mercy of its adversaries.
Prepare for the next round
Once the dust settles, gather any lessons learned that the team can apply before the next crisis. Rest assured: the attackers will come back so the team’s real-time experience will offer invaluable insights. Also, consider the following as part of a preparation blueprint:
- Is the company’s supply chain mapping adequate? Has the team identified and assessed all relevant supply chain partners?
- Ensure that the team understands the risks from sensitive/critical data in motion and at rest.
- Conduct a cyber resilience review to identify the risks under confidentiality, integrity, availability (CIA) principles.
- Adopt segmentation of data, zero-trust principles for data in motion and at rest and re-examine monitoring of relevant logs in and around managed file transfer systems and source/destination applications.
- Develop a playbook that will allow the team to rapidly identify data exposures and deploy proportionate responses in future incidents.
Now that a comprehensive response has been developed, stay calm in the event trouble knocks on the door in the future. The team’s got this.
Steve Benton, vice president of threat research, Anomali
