At the end of May, data transfer company MOVEit identified a zero-day vulnerability (potential threat) relating to an ‘SQL injection’ – the ability for a front-end user to send a prompt to a server to execute commands.
While SQL attacks are usually not particularly sophisticated, in this case the attackers were able to use the SQL injection to gain access to files and data on MOVEit servers and take copies.
MOVEit swiftly released a patch for the vulnerability, but it required those who use its servers to install the patch, which may not have been done on a timely basis. The vulnerability had also been exploited before the patch was released.
Further investigation by cyber security firm Huntress identified additional vulnerabilities on 9 June. Another SQL Injection vulnerability was publicly identified by a third party on 15 June.
The vulnerability was used to gain access to information managed by Zellis, a provider of HR and payroll services. This in turn gave the criminals access to payroll data relating to Zellis and others using the service.
By attacking Zellis through exploiting a vulnerability in third party software that they employ, these criminals used a supply chain cyber attack in its purest form. These kinds of attacks can make organisations feel powerless, as it’s a vulnerability in a supposedly secure tool. It also highlights the risks of single points of failure when it comes to cyber security.
“The recent MOVEit cyber attack was a result of a vulnerability within software that business users had installed locally within their own environments,” says Maritz Cloete, Director of Cyber Services, Moore ClearComm. “In essence, this was not a Software as a Service (SaaS) attack. On that basis, as much as supply chain diligence is key, carrying out due diligence on the software developer in this instance would have been unlikely to catch or prevent the incident playing out.”
If there is one area of due diligence that might have mitigated the impact, Cloete explains, it may have been increased focus on the software development lifecycle and level of security testing carried out before buying the software and installing it. “However, it does firmly underline the importance of a strong and robust incident response plan, as security breaches could come from the most unexpected direction.”
Any transfers of highly sensitive data should use multiple levels of security. Applying additional encryption or password protection on the data or files – with the password or encryption key shared separately – provides an extra layer of protection when using a secure file transfer server. Once files have been transferred, removing them from external-facing servers promptly will reduce your exposure to risk.
In an ideal world, organisations would minimise or avoid transferring sensitive data outside of the organisation in the first place, but that’s not always practical. So steps need to be taken to mitigate any risks from using file transfer services.
When looking at third party software, review any certifications or audit reports that may be available that attest to the security and control environment of the software and organisation. Where appropriate, check for ISO 27001 compliance, PCI compliance or an ISAE 3402 or SOC 1 report.
Ask businesses in your supply chain what checks they have performed on their suppliers to ensure each organisation in the chain is taking responsibility for the security of information.
Make sure that your external-facing systems are not vulnerable to an SQL injection attack. While most should be secure, the MOVEit attack proves that it is dangerous to assume this.
According to the recent cyber breaches survey from the National Cyber Security Centre (NCSC), fewer than one in five businesses have conducted a review of their supply chain cyber security in the last year. “This is a critical gap and may be leaving businesses exposed to cyber risks caused by weaknesses in their suppliers’ systems and processes. Carrying out such a review is a vital first step in supply chain cyber security,” says Ian Pay, ICAEW’s Head of Data Analytics.
The NCSC has recently updated its guidance around supply chain mapping, which can help to inform and manage cyber risks more effectively. This includes new e-learns, which can even be loaded into an organisation’s own training platform.
“The MOVEit attack – along with the attack on Capita a few short weeks ago – should be a wake-up call for organisations to take supply chain cyber security seriously,” says Pay. “After all, if your supply chain is attacked, it’s your staff or customers that will suffer. If any organisations use Zellis, they should have been in touch regarding any actions required.
“Any organisations using MOVEit should immediately ensure that MOVEit software is patched,” Pay continues. “If this is not possible, they should disable the web interface. They should perform an analysis of activity logs for anything unusual, including new accounts, new files on web servers or large volume downloads.”
“The sobering reality is that cyber attacks are the ‘cold’ we will all catch at some stage, no matter how hard we try not to – often catching it from the most unlikely or unexpected source,” adds Cloete. “Therefore, the key takeaway from the MOVEit attack is the importance of good recovery planning – reducing the impact and the time it takes to get back to normal operational performance.”