Blast Radius of MOVEit Transfer Attack Widening
Last week, Risk Ledger published a quick and dirty analysis on the blast radius of the evolving MOVEit Transfer breach and the problems that the lack of visibility into risks lurking further down organisations’ supply chains beyond their immediate third parties can cause. We also published an Emerging Threat analysis on the subject.
After heavyweights such British Airways, Boots and the BBC were already affected by the fallout from the attack last week, it has now emerged that several US government agencies and Universities, including the Department of Energy have also been breached.
There is now also more information on the vulnerability as well as who first exploited it. Since the first vulnerability became known, Progress Software, the company that developed MOVEit Transfer, has confirmed that there exist additional vulnerabilities within the software and has communicated to customers what steps they need to take, including publishing the relevant software patches. They have also taken MOVEit Cloud offline as they are working on fixing the vulnerabilities.
At the same time, according to the New York Times, an investigation by the US Cybersecurity and Infrastructure Security Agency and the FBI found that the breach was instigated by the Russian ransomware-as-a-service group Clop, which identified and exploited a zero-day vulnerability in MOVEit Transfer code. Since then, as is commonly the case, it is highly likely that other groups have jumped on the bandwagon and are now also actively seeking to exploit the vulnerabilities.
Mapping your supply chain beyond third parties
The UK National Cyber Security Centre is also actively working with organisations to understand and respond to the incident. They have published information on the evolving situation and guidance for organisations on how to respond in case they are affected.
Conscious of the fact that one of the biggest problems with a supply chain attack like this one is the lack of visibility into often very complex supply chain ecosystems, NCSC also provides guidance on how to map your supply chain. This is a crucial first step in order for organisations to become less vulnerable to breaches that occurred outside their own organisations, in one of their suppliers.
So mapping your supply chains and gaining visibility into potential vulnerabilities and risks in your suppliers is a key first step. But in most cases, organisations will only ever be able to do this for their immediate suppliers, if at all. As the MOVEit Transfer breach has demonstrated once again, even this is not enough.
As we wrote in our blog post from last week:
One of the main challenges in responding to supply chain incidents is that organisations rarely have visibility beyond their first degree suppliers. It is one thing to be able to investigate internally to see if your own organisation uses the vulnerable software, but it takes a few days (often weeks or months) before their suppliers, or their suppliers’ suppliers have concluded their own investigations and notified downstream customers who may have already been impacted by the incident.
It often takes days, weeks, even months to figure out whether you're impacted by a supply chain incident, especially if the exposure is a few levels down in your supply chain - in your 4th, 5th or 6th party supplier.
Are we ok with this? Are we really happy to accept that this is just the way it is? Are we sure we're doing everything we can?
Suppliers on Risk Ledger share their data to speed up response times
Since we published the MOVEit Transfer vulnerability to the Risk Ledger network as an Emerging Threat last week, 1297 suppliers have now shared their status on Risk Ledger on whether they have been affected as well. The results are:
It often takes days, weeks, even months to figure out whether you're impacted by a supply chain incident, especially if the exposure is a few levels down in your supply chain.
Because of Risk Ledger’s unique social network model approach to supply chain risk management, Risk Ledger can map connections within supply chains beyond your first degree suppliers, including 4th, 5th and 6th parties, and even further down organisations’ supply chain ecosystems.
This puts Risk Ledger in the unique position to identify the potential blast radius of emerging threats and how incidents further down the supply chain might ripple up the chain and come to affect your organisation. This significantly speeds up organisations’ assessment of whether they might also be exposed by a particular incident from days or weeks, to just minutes or hours.
This is the first time we've enabled an immediate response of this kind through Risk Ledger, so we're using as an opportunity to learn more about how we can help the community to Defend-as-One during an incident of this kind.