What can we learn from the Moveit cyberattack?

26 Jun 2023

Image: © Oulaphone/Stock.adobe.com

Experts share their takes on the Moveit hack and why both companies and governments around the world should take such data breaches seriously.

It has emerged that the latest victims of the Moveit hack are 45,000 students within the New York City Department of Education system. The agency revealed that students’ personal information such as social security numbers and birth dates were stolen by the Russian-speaking Clop gang.

First reported on earlier this month, the global Moveit breach, in which hackers exploited a zero-day vulnerability in the file transfer software, has affected companies and government agencies on both sides of the Atlantic, including banks, universities, insurance and healthcare providers.

Microsoft attributed the hack exploiting the Moveit zero-day vulnerability to Lace Tempest, a reportedly Russian-speaking cybercrime group known for similar ransomware operations and running the Clop extortion site.

The Clop team soon took responsibility for the breach in an email to Reuters, claiming “it was our attack” and that victims who refused to pay the ransom would pay the price one way or another.

A Moveit spokesperson told SiliconRepublic.com last week that the company took swift action upon discovering the vulnerability by launching an investigation and alerting customers about the issue.

“We disabled web access to Moveit Cloud to protect our cloud customers, developed a security patch to address the vulnerability, made it available to our Moveit Transfer customers and patched and re-enabled Moveit Cloud, all within 48 hours,” the spokesperson said.

‘A year of mega events’

While the breach isn’t nearly as serious a campaign as SolarWinds, according to Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, experts believe there it much to learn from it.

Sergey Shykevich, group manager at Check Point Research, thinks that the Moveit hack is significant enough that 2023 is becoming “a year of mega events” within the ransomware ecosystem.

“Major ransomware groups like Clop and some LockBit affiliates are not trying tactically to infect victim by victim, but instead strategising to make their operations more efficient by exploiting software that is widely used in a corporate environment,” he said.

“This approach, exploiting one software, allows them to infect hundreds of victims at a time.”

Moveit isn’t the first hack performed by the Clop group this year. Shykevich said the gang was also responsible for the GoAnywhere MFT attack in March.

“After the success of these events, more ransomware groups will focus their efforts on finding vulnerabilities in widely used software, or just buying such vulnerabilities from brokers on the dark web,” he went on.

“This attack pattern emphasises the importance for companies to implement a multilayered cybersecurity strategy and to prioritise patching quickly when vulnerabilities are announced.”

Greater industry-wide action needed

For Charl van der Walt, head of security research at Orange Cyberdefense, the Moveit hack is “a stark reminder” that criminal actors are continuing to innovate and search for new ways to extort a ransom, and that more attacks are expected in the long term.

“The unfortunate truth is that before Moveit, we’ve had Accellion and SolarWinds, amongst others. Widely deployed enterprise software will always be an attractive target and we will continue to see more incidents like this happening unless greater industry-wide action is taken.”

While victims so far have largely resisted giving into Clop’s demands, Christine Sabino, legal director at Hayes Connor, thinks it is crucial that victims exercise caution and refrain from “any form of engagement” with the hackers.

“Interacting with these individuals can potentially exacerbate the situation and expose victims to further harm. It is strongly advised to seek professional legal assistance and cooperate with the police to mitigate the impact of the breach and protect the affected parties,” she said.

“Personal information, even in small fragments like names, dates of birth or national insurance numbers, can lead to identity theft, resulting in financial losses and reputational damage. However, in this case, where there’s a combination of data shared, the risk is maximised for the employees whose data has been exposed.”

And while dealing with a crisis like this, Van der Walt believes there is no space for complacency.

“There is a risk that guards will be lowered again when ransomware groups possibly retract into hiding. However, make no mistake, this is often to allow the dust to settle before they re-emerge and come back in another form.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic