MOVEit Transfer saga shows danger of the 'Dark Middle'

Possessed Photography / Unsplash

When attackers find vulnerabilities in software used by service providers with dozens or hundreds of clients, the impact of a breach can quickly spiral out of control.

In July, the University of Colorado notified its 66,000 students—as well as tens of thousands of its staffers, prospective students and former employees—of not one but three data breaches. A student information service, employment benefit firm and health insurance company had all been compromised via vulnerabilities in the MOVEit Transfer program from Progress Software.

The culprit? A ransomware group, dubbed Cl0p, which used the vulnerability to steal data from organizations and threatened to release the pilfered information on its data leak site. Since companies discovered the initial signs of attacks in late May, notifications have slowly trickled out to the public. The impact has spiderwebbed throughout healthcare, government and education. As a result, the compromise of MOVEit systems—generally managed by third-party providers of other services—is on track to be the largest breach in 2023 with more than 2,100 organizations impacted to date.

The UC breach notification perfectly encapsulates the nature of the supply-chain risk business software or services are compromised, and the likely long tail of impact of any breach.

"Due to the nature of the software and how it was used by our vendors, individuals are unlikely at this time to know whether their personal data were impacted," UC stated in its notification. "If your personal data is included in the exposure, you will be notified in the near future."

The way companies use MOVEit Transfer has led to the widespread impact of the vulnerability: More than 80% of organizations were compromised through a third-party service, according to data collected by security software firm Emsisoft.

In late July, for example, Maximus Federal Services notified its government customers that information on as many as 11 million citizens may have been exposed in the breach of its MOVEit Transfer platform. Its clients include the Department of Health and Human Services (HHS) and the Centers for Medicare & Medicaid Services (CMS), which notified 612,000 Medicare beneficiaries that their information may have been compromised.

In September, the National Student Clearinghouse notified its 889 educational customers—including the University of Colorado and other higher-education institutions—that "an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that we maintain."

The same month, Financial Institution Service Corp. (FISC), which provides information services to nearly 60 banks, notified attorneys general for many U.S. states that an unknown group had compromised data on more than 750,000 people using the MOVEit vulnerability as well.

Risks of the "Dark Middle"

The exploitation of the MOVEit Transfer vulnerability—and the long tail of its impact—underscores that the risks of not only the software supply chain, but also the third-party vendor chain, can have unexpected and far-reaching consequences. A single vulnerability in software used by popular business services can impact hundreds of companies who otherwise did not know they were exposed to such risk, said Brett Callow, a threat analyst at Emsisoft.

"What puts this in a different type of category, in terms of seriousness, is simply the number of organizations that were affected and the amount of data that was obtained from those organizations," he said. "We are looking at information stolen from government agencies, from banks, from universities, from private sector companies … and some of that data is likely extremely sensitive."

The incident reinforces the lessons of the compromises of network monitoring firm SolarWinds and IT management firm Kaseya, breaches that rippled out to many of the firms' business customers.

The incidents show that threat groups are looking for the right mix of ubiquitous software components that are not widely known, where they have a good chance of finding a vulnerability that will impact a significant number of firms, Chris Hendricks, head of incident response for cyber insurance firm Coalition, told README.

"Threat groups want to find tooling that is popular enough—especially in B2B, where it's not a consumer brand—it doesn't have a high level of visibility, but it’s got a lot of penetration," he said. "Finding your way into a supply chain, where it's not sexy or public, but instead ... you're sort of in that 'dark middle' of all these tools that are in wide use."

The surprising impact of the vulnerability can be seen in the relatively slow march of disclosures. Coalition saw only 9% of its 53 claims due to the MOVEit Transfer vulnerability in May, 51% in June and 38% in August. Policyholder claims were still being submitted in August and September, the firm said, meaning organizations are still discovering they were compromised via the vuln.

"Because the initial vulnerability was zero-day, many organizations were impacted despite patching their technology," the insurer said in its 2023 Cyber Claims: Mid-Year Update report. "While the influx of incidents has slowed among Coalition policyholders, many organizations will likely find themselves indirectly impacted, given the breadth of the ... victim list."

When "secure" software is compromised...

Companies don’t just turn to firewalls, secure email gateways and other security-specific software when they have something they want to protect. They also rely on secure versions of messaging applications or, in the case of MOVEit Transfer, dedicated file transfer utilities.

When that software is compromised, the consequences can be more dire, because the data being protected is more sensitive, Coalition's Hendricks told README.

"When people use a tool like this, it is because of their thinking—their spider senses going off saying, 'Don't send this [data] via email,' and so let's use this platform," he said. "So, I would expect in aggregate [that the data is] more sensitive, or at least, thought to be that way by the users."

Worse, the MOVEit Transfer vulnerability was not found by researchers, but by the Cl0p ransomware group, which made the initial attack a surprise and delayed companies' response to the campaign. Progress Software has pointed out that the vulnerability is both difficult to exploit and that the company's cloud implementation was quickly patched, though that’s likely of little comfort to the thousands of organizations whose data was compromised via the flaw.

"Progress has continued to work closely with our customers," the company said in a statement sent to README. "This was a coordinated attack on our customers’ environments by a sophisticated criminal organization, and we are committed to playing a collaborative role in the industry-wide effort to combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products."

A long tail of misuse

With such sensitive data, however, the ultimate victims—the consumers whose data is stored in and passes through MOVEit Transfer—will likely feel the impact for a long time. The list of data potentially stolen by attackers in the breach of Centers for Medicare & Medicaid Services (CMS) included their name, Social Security number, date of birth, address, contact information, driver's license, medical history, prescription, and treatment information and health-insurance claims information. The compromise of FISC included the same sensitive information, sans health-related data, but including credit- and debit-card and financial account information. Other organizations held similar data.

Unfortunately, when the victim organization does not pay the ransom, the information is often released publicly, which means that individuals may see more sophisticated identity attacks over time, said Emsisoft’s Callow.

"The long tail of this may well be that the information will be used, not only in identity-related fraud, but in spearphishing attacks against organizations, business email compromise," he said. "And it's not only Cl0p, who may misuse this information. It's on the Dark Web. It's available via torrents. Any would-be criminal anywhere on the planet can easily access that information."

Historically, threat actors have had significant success when targeting supply chains, and the attacks have had outsized impacts. Whether an attack focuses directly on the software supply chain, such as the attacks involving Log4J, or on the third-party ecosystem, such as Progress's MOVEit Transfer or SolarWinds Orion performance-monitoring platform, this campaign shows that the impacts are devastating.