The past few months have been embarrassing for financial cybersecurity. A zero-day vulnerability in the widely used MOVEit data migration software allowed the ransomware group Cl0p to perform a far-reaching SQL injection attack. The group has named 55 firms as victims so far, most notably three of the “Big Four” accounting firms who handle 80% of all financial audits in the US. These are Pricewaterhouse Coopers, Ernst & Young, and, most recently, Deloitte. Add to this the 8 to 11 million Maximus identities compromised, and this is shaping up to be the largest file-transfer attack in history. Identity-based vulnerabilities lie at the heart of this issue; IAM solutions are the answer.
As the targeted companies grapple with the fallout from this incident, an uncomfortable question arises. What could have been done to prevent the attacks? What is the plan for future prevention? By examining what made this breach possible, cybersecurity experts can direct their time and budgets towards the IAM solutions which are most likely to prevent a repeat down the line.
What Made the MOVEit Attack so Successful?
The Cl0p group has a well-established MO: global targeting of international consulting firms. The gang is an RaaS (Ransomware as a Service) “provider.” As such, their MO focuses on probing enterprises for vulnerabilities and viciously attacking any holes they find. Even with the bug patched and further access cut off, they don’t just take their ball and go home. They will simply get to work to finding another opening. Furthermore, so long as a potential exploit exists, it’s just a matter of time before some group takes advantage. The mere fact that the backend system allowed for SQL injection was always going to be a fatal flaw. Limited internal cybersecurity teams cannot account for every possible vulnerability.
Because the backend database was open to non-authenticated users and unmoderated edits, Cl0p was able to input SQL injection. The vulnerability appears whenever a database allows customer, B2B, and B2C users to input data without limitations or validation. MOVEit allowed a query to be input into databases without the protection of limitations and parameters. Therefore, the hackers could plug any code in to disrupt the systems and open a direct line into sensitive data.
In essence, the hackers slipped in through an unprotected part of the fence upstream. Thus, they got access to everything down the river.
IAM Solutions Could have Blunted or Even Prevented the Attack
Michael Bickford, Solutions & Advisory Director at Simeio, states that “enforcing PoLP could have helped immensely. The data used to start the injection came from somewhere, most likely an identity that didn’t get locked down.” He explains that if permissions had been in place it would have been much harder to get into the backend. The lesson from this incident is clear: IAM solutions need to span the whole of an identity fabric to be effective. Additionally, you need strong authentication not just for people, but for systems and machines as well. If the affected enterprises, or MOVEit itself, had had a unified IAM solution, there would have been no avenues for attack.
A mature IAM solution also accounts for the possibility of a breach even in the face of all these safeguards. The damage done would have been significantly lessened if competent remediation methods were in place. Affected companies should have been notified the instant their backend was queried. Better yet, an automatic policy enforcement system could have instantly locked access as soon as it suspected a violation. Unfortunately, at the stage the victims reached, everything became a matter of hindsight.
Cybersecurity must be proactive, constantly and consistently anticipating and heading off likely attack avenues. IAM solutions focus on the core identities at the heart of digital vulnerabilities, scoping out the parameters of an enterprise and its needs. Theoretically, regular updates and audits test those parameters. Clearly the tests didn’t go far enough in the case of these victims. An ounce of prevention, in this case a federated IAM solution spearheaded by an expert IAM service, would have saved 55 pounds of pain.
Preventing Future Attacks Through IAM Solutions
Bickford has a few tips for companies who wish to avoid a similar fate. He recommends that enterprises “Keep all vendor software up to date. Put in firewalls with an Intrusion Detection System (IDS). Institute network segmentation to mitigate where penetrations can reach. Apply access controls and PoLP, even for system accounts. Use endpoint protection on devices and software through tools like Beyondtrust and Cyberark, or managed services that leverage those tools. Carry out threat intelligence training across the entire organization.
Oftentimes, application owners don’t know their own vulnerabilities. Only your own enterprise can ensure that connected systems are up to security snuff by enforcing your policies upon your partners. Having a comprehensive security policy across third party vendors are very important. A strong PAM solution allows for your highest levels of controls (exactly the sort targeted by Cl0p) to be monitored and managed from a single pane. Other solutions, such as IGA, help ensure that sensitive databases are only accessible by selective identities. Additionally, such systems help curate orphaned accounts, which are vulnerabilities in themselves. IAM solutions like CIEM provide additional controls and security around your clouds. This keeps the entirety of your attack surface buttoned up.
By investing in appropriate IAM solutions including PAM, IGA, and CIEM, your enterprise stands a much better chance of avoiding a calamity similar to the MOVEit breaches. Because, as bad as the Cl0p attack is, it is only the worst file-transfer attack…so far.
Updated 08/24/23: An additional 4 million victims of the MOVEit breach have been reported by IBM.