MOVEit Transfer Vulnerability & the Lack of Supply Chain Visibility

Once a critical vulnerability has been identified, how long does it take for all affected organisations to realise they might be affected as well and to then investigate, identify if and how they have been impacted, and respond accordingly to mitigate the risk?

During that time, how much data has already been exposed to malicious attackers?

We, at Risk Ledger, have been looking at emerging cyber threats for some time, but the recent MOVEit Transfer vulnerability and subsequent data breaches have brought it into focus.

What’s happened so far?

On 31st May 2023, Progress Software Corporation posted a notice about a vulnerability within their MOVEit Transfer application that opened it up to a potential SQL injection attack. This vulnerability could allow an attacker to gain unauthorised access to the database behind MOVEit Transfer, extracting, amending or deleting the confidential information held within it.

On the same day, Progress Software posted updates which could be applied to the affected applications to fix the vulnerability. However, in some cases, the damage was already done.

It is understood that thousands of organisations may be (directly or indirectly) users of MOVEit Transfer and therefore affected by the vulnerability, which is actively being exploited in the wild.

On 5th June 2023, it began to emerge that UK payroll provider Zellis had confirmed a data breach through their use of Progress Software’s application MOVEit Transfer, affecting eight of their clients. Zellis did not name these clients, but some of them have since spoken to the media to confirm the breach. Those that have publicly spoken about the breach include BBC, British Airways, Aer Lingus and Boots.

It is important to note that MOVEit Transfer is used by many more organisations, and we are only just seeing the tip of the iceberg in terms of who else has been affected.

Supply chain visibility - the unrealised impact

The MOVEit Transfer vulnerability is a classic example of a supply chain security incident. One of the main challenges in responding to supply chain incidents is that organisations rarely have visibility beyond their first degree suppliers. It is one thing to be able to investigate internally to see if your own organisation uses the vulnerable software, but it takes a few days (often weeks or months) before their suppliers, or their suppliers’ suppliers have concluded their own investigations and notified downstream customers who may have already been impacted by the incident.

This is exactly what has happened in this instance. Whilst Zellis moved quickly to inform affected customers and should be commended for their timely communication, there was inevitably some delay between the vulnerability being exploited and the customers finding out. During that time, it is highly likely that Boots, BBC, British Airways, Aer Lingus and the other four affected Zellis customers, were as of yet unaware that MOVEit software was used within the software provided by Zellis, and thus that their data was at risk. There are likely hundreds more, possibly thousands, of organisations who are even now not yet aware that their data is at risk from the vulnerability identified within MOVEit Transfer.

It is one thing to have visibility over the security of your third-parties. But do you also have visibility over* their *third-parties? This is what’s required to fully understand the impact of a supply chain incident.

With the current publicly available information about this breach (as of 6th June 2023), we can put together this picture to visualise the blast radius of this incident. This picture will evolve over time. The question marks will turn into names of more and more affected organisations that will be identified.

Risk Ledger is a supply chain security platform which uses a social network model to enable organisations to run security assurance against their supply chains. Because of this unique model, Risk Ledger can map connections within supply chains, beyond your first degree suppliers.

💡 Today, on Risk Ledger, we’ve been able to identify five further organisations that may be impacted by the vulnerable MOVEit Transfer application.

These five organisations have been notified by Risk Ledger, so they can conduct their own investigations.

As the Risk Ledger network grows, there will be more and more opportunity to proactively identify and mitigate against cyber incidents, regardless of how far down in your supply chain they may lie.

Worried you may be impacted by the MOVEit Transfer Vulnerability? What should you do?

• Find out if your organisation uses MOVEit Transfer. If so, apply the patches provided by Progress Software as soon as possible.
• If you can’t patch right now, turn off the web-based (HTTP and HTTPS) interfaces to your MOVEit servers until you can. Current information suggests this vulnerability is exposed only via MOVEit’s web interface, not via other access paths such as SFTP.
• Find out if any of your suppliers use MOVEit Transfer.
• Start with the suppliers who have access to your data. If you do not have a tool in place to help you find this out, you will need to ask your suppliers directly.
• If your suppliers are using MOVEit Transfer, support them to apply the relevant patches or take mitigating actions.
• Investigate to what extent your data may have been exposed by this breach and take mitigating action accordingly (dependent on what data was exposed).