The MOVEit incident highlights the current critical threat level faced by IT supply chain organisations and users of popular software packages. MOVEit is the latest in a rapidly growing series of cybercriminal vulnerability exploits impacting widely used software packages and highlights the cascading effect of sensitive data loss during these incidents. The growing number of threat actors increases the importance of prioritising proactive and reactive measures to manage IT supply chain risks.
The MOVEit breach
US software provider Progress Software on 31 May warned of a critical vulnerability (CVE-2023-34362) in its managed file transfer (MFT) software MOVEit, which is used by high-profile public and private sector organisations globally. All versions of the software are affected; however, the company has since released patches. The US Cybersecurity and Infrastructure Security Agency (CISA) on 2 June urged federal agencies to patch their systems, and the UK National Cyber Security Centre (NCSC) on 5 June also released an advisory regarding the vulnerability. Likely several hundred companies have since been breached leveraging the MOVEit vulnerability, potentially affecting data of up to 16m individuals worldwide.
How isolated is the MOVEit incident?
MOVEit is just one of many incidents leveraging vulnerabilities in IT supply chain companies, particularly software-as-a-service (SaaS) providers, to reach and impact clients of those companies. Clop, the group responsible for the MOVEit breach, has previously targeted several IT supply chain companies, including by leveraging vulnerabilities in other secure file transfer solutions. Other watershed incidents leveraging IT supply chain vulnerabilities to target software users en masse include the highly impactful 2022 Kaseya ransomware attack, as well as the 2020 SolarWinds breach that affected several sensitive US government agencies.
The barriers to entry for threat actors wanting to target IT supply chain companies are rapidly lowering, with increasingly accessible threat tools, developing threat actor capabilities and growing links between high- and low-capability actors. Threat actors’ intent to target IT supply chains has been on the rise for several years, alongside the growing number of IT supply chain companies and solutions on the market. Simply put, the threat is growing and will continue to grow in the long term.
The fastest growing of these threats emanate from the cybercriminal underworld, with groups like Clop and Nokoyawa leveraging zero-day vulnerabilities against IT supply chain companies to compromise and extort large numbers of user networks. The rapidly growing SaaS marketplace, expected to grow from approximately USD 237bn in 2022 to USD 908bn by 2030, is one of the key drivers behind such targeting, particularly as SaaS companies expand their client bases and offer an increasing number of critical and non-critical services.
- Figure 1: Global SaaS market size, 2022-30 (USD bn)
Additionally, immense growth in the artificial intelligence (AI) marketplace is expected by 2030, when the market value of AI products and companies is expected to reach almost USD 2tn. Growth in the AI marketplace will only exacerbate existing threats and risks emanating from the supply chain, especially as AI products and tools will largely be provided to users via SaaS or AI-as-a-service (AIaaS) models.
Beyond exacerbating risks in the SaaS landscape, AI products will also come with greater integrity risks whereby future significant IT supply chain vulnerabilities may render generative AI and machine learning outputs unusable. This will be as a result of concerns over the security and integrity of large language models, large datasets and the software generating outputs.
- Figure 2: Global AI market size, 2022-2030 (USD, bn)
How should companies and security professionals respond to the threat?
Being on the front foot against a threat that is most likely to impact you without touching your enterprise is not a simple objective but can be broken down into key activities for security teams and the wider business to focus on.
- Plan for an attack: design, build and exercise an incident management plan, incorporating both executive and technical teams.
- Identify critical assets: once these are identified, determine what the business impact would be if they are affected. Business continuity plans can then be updated and extra mitigations can be implemented.
- Map supply chains: building an understanding of their security and security management provides confidence by rapidly identifying their exposure to threats.
It is also vital to be ready for the next IT supply chain incident, given the prevalence of the threat. The below steps were taken by several companies to mitigate the MOVEit threat:
- Understand if your company is impacted by preparing incident and crisis management teams to respond if there is a direct or indirect impact.
- Patch to the latest version of the impacted software as soon as realistically possible if you are a user.
- Monitor closely for incident-specific indicators of compromise (IoCs) to identify activity by threat actors known to be exploiting the vulnerability.
- Seek to identify whether your third-party providers use the software and ensure these companies have mitigated risks by patching the software.
- Monitor open-source, social media, and deep and dark websites to identify the following:
- additional intelligence relating to the breach
- the types of companies impacted and if this changes your risk assessment
- who the threat actor is, their motives and how they are leveraging impacted data in additional attacks
- whether other threat groups are using the relevant vulnerability to target organisations