Lessons to Learn From Clop's MOVEit Supply Chain AttacksData Minimization and Encryption Mitigate Fallout, Says FS-ISAC's Teresa Walsh
Hundreds of organizations fell victim to a supply chain attack unleashed at the end of May. That's when the Clop ransomware group used a zero-day flaw to steal data being stored on instances of MOVEit secure file transfer software, built by Progress Software and used widely across the public and private sectors.
While stopping a zero-day attack is never easy and sometimes impossible, some victims' exposure to the MOVEit attacks was minimal, thanks to not leaving data on their MOVEit instance, said Teresa Walsh, chief intelligence officer and managing director for EMEA at FS-ISAC, which is the financial services industry's information sharing and analysis center.
"Some companies might have only had one or two files exposed, and that was because - probably - they were really good about taking it off the instance as soon as they were done transferring the file," she said. As a result, unlike organizations that had dozens of files or more get exposed, organizations with better cyber hygiene - including minimizing the data they keep - may have only lost a file or two. Or users who had enabled and configured built-in encryption capabilities may have lost no files at all.
In this interview with Information Security Media Group, Walsh discussed:
- The fallout from Clop's supply chain attacks, mostly recently against MOVEit users;
- Why file transfer utilities continue to be a top target of ransomware groups;
- Essential preventive measures and assurance and detective controls that all secure file transfer tool users should employ.
Walsh leads FS-ISAC's Global Intelligence Office to protect the financial sector against cyberthreats by delivering actionable strategic, operational and tactical intelligence products. Based in the U.K., she oversees FS-ISAC's global member-sharing operations and a team of regional intelligence officers and analysts who monitor emerging threats. Previously, she served as the Europe, Middle East and Africa lead for fraud intelligence and external relationships at JPMorgan. She previously served as a cyber intelligence analyst for Citigroup in the U.S. and Europe. Walsh began her career as a civilian intelligence analyst with the U.S. Naval Criminal Investigative Service.
This transcript has been edited for clarity.
Mathew Schwartz: File transfer utilities continue to be a top target of ransomware groups. Hi, I'm Mathew Schwartz with Information Security Media Group and the Clop group in particular has been launching a number of campaigns, exploiting vulnerabilities in file, transfer software to amass numerous victims. To get some actionable intelligence about what users and organizations should be doing to protect themselves. It's my pleasure to welcome to the studio Teresa Walsh, the global head of intelligence for the Financial Services Information Sharing and Analysis Center. Teresa. Welcome.
Teresa Walsh: Thank you. Very much. Happy to be here.
Mathew Schwartz: This is a big topic of discussion in cybersecurity circles these days: Clop's MOVEit attacks. The victim count that we know of so far stands at over 1,100. We know that more than 50 million individuals have been affected. From the big picture standpoint, is this the last that we'll see of these types of attacks, do you think?
Teresa Walsh: Well, it's an excellent question. But first, I actually want to tackle the topic of the number. So we do actually have to take these things into context first. And while I know there are vendors out there that I've talked about this 1,100 or more depending on who you talk to figure. When you do look at the top data leak site where they put their victims, and they post the files that they've stolen, it is only over 200 right now. And so you're talking about direct but indirect victims as well.
This is a major point of context that you always need to take into consideration because 1,150 million individuals - it sounds really, really bad. But if you do look at the actual attack pattern, what we know, and we can definitively say, these are the companies that were directly targeted. According to their own website, it's over 220 right now.
That's not counting the indirect of obviously your fourth parties, your third parties, customers of these companies, obviously. So it can grow exponentially from there. But we always need to kind of take that context into view when we're looking at these attacks, because you know, the these big figures can get the headlines, but sometimes they're a little bit misleading as well.
But you know, in reference to your actual question, we're going to see these types of attacks. Clop themselves, as you just mentioned, have targeted these types of systems before, and they will target them again because it's successful for them. Why wouldn't they try their successful formula over and over again?
Mathew Schwartz: Feeding back also on the number of organizations that are potentially - as you say - not directly impacted. But in theory, this being a kind of supply chain attack, if I was directly impacted and Clop stole information on customers, say, of 10 organizations that have contracted with me, potentially those 10 organizations could be getting a shakedown from Clop. I mean, the impact here is, we're not exactly sure what they might be doing behind the scenes.
Teresa Walsh: That is very true, but it also we need to understand: what do they even have as leverage. What were the actual documents stolen? So if you look at the attack, everything we see so far doesn't show anything major, for instance, that they've really compromised the networks, or they've taken more than what was actually on the MOVEit server. A good way to think about this - especially if you're as old as I am - is think of a fax machine, and if you have a company fax machine, and people are putting things through it and having that go to wherever they're sending it to. But then they leave the documents on the fax machine itself, and that accumulates over a day, two days, a week, two weeks, everything that's there. Somebody can come by and just grab that off of the little shelf that's on your fax machine. That's essentially what happened here. You have documents that were left on the file transfer system instance, and those were the documents that were stolen. What were the documents?
We're not quite sure; you would actually have to go into every single one of those files to see what they were. They could be fairly benign in the sense that maybe it's a customer who signed a contract agreement for services. They could be very, very sensitive, like medical information where it shows the results of your last test from your doctor. So we were just not quite sure what we do know from a lot of the public notifications that have gone out. Was that a lot of it was with the personal, identifiable information, the PII, and that could be your phone number, your address, your name, your date of birth. You know things that maybe are already actually out there. But that level, the type of information? That we don't really know. So that the severity of impact would actually be very, very different, company to company.
Mathew Schwartz: That's a great example, fax machines for those of us in the know, so to speak, about that sort of thing. These file transfer systems do seem like they were being used in that sort of a way where you need to move data from one organization to another. This begs the question is file transfer software safe to use. I mean, do we know of any MOVEit users who were targeted and yet didn't fall victim? This seems to have been a very effective attack. It's not clear if people could have been doing anything differently. Organizations do need to use file transfer software,
is it safe to do so? I'd love to get some security advice in a second as well about how they do that. But what's been your impression of if everybody who was a MOVEit user fell victim or not.
Teresa Walsh: Yeah, it's a little bit ironic, isn't it? Because we're supposed to use these services because there's secure file transfer services. And they're more secure than email. Email still has a lot of holes in it. So you don't want your doctor to be sending you the latest results just on the plain email, because that can get compromised and that could get out into the open. So you do use these services because you want some assurance of privacy and confidentiality of the data.
The problem is that this particular vulnerability was what we call a zero-day, where there's not a lot that somebody can do when it first comes out. The company was actually very good that they did notify their customers of this vulnerability, but at the time you could either immediately patch or immediately turn off the service. In some cases, the damage was done - the attack had already happened, and they had taken the information.
Now, in in some cases you could talk about patch cycles, you could talk about speed of recovery. You could talk about all these different aspects, but what we have heard from some users of MOVEit instances is that one of the best things that they were able to do is make sure that they followed good cyber hygiene practices, and that was simply not to leave documents on the instance. Once you send the documents, take it off, and that's it. So that's why, sometimes, if you actually look at the Clop data leak site, you'll see a huge difference in the amount of files between one company and the next.
Some companies might have only had one or two files exposed, and that was because - probably - they were really good about taking it off the instance as soon as they were done transferring the file. If you're maybe not as great, and you haven't cleaned house and there's a little bit of dust behind the couches and all that, you might actually have it left onto the server. And so that's why we do see some of the victims actually had maybe 60 or more files stolen.
Mathew Schwartz: Fascinating. This sounds a little bit like the data minimization that GDPR calls for. You are going to need to work with sensitive data, at least in some cases, and you're allowed to do that and can do that, but the regulation says in the way that poses the least amount of harm by leaving it, as you say, laying around for as little time as possible. So data minimization, a great recommendation. I think best practice if you're using this sort of file transfer software. Just stepping back for a second, this is, I think, the fourth time we've seen Clop targeting file transfer software. So there should be an impetus here to learn from some of these attacks.
Teresa Walsh: Correct.
Mathew Schwartz: Maybe you can't stop a 0 day. But like you say, you can leave things laying around less long.
Teresa Walsh: Absolutely. I mean, there's the old adage in cybersecurity that it's not if but when you're going to get attacked. Everybody knows that, you know you, and you can do the best that you can to secure your house, but eventually something might happen, or something might happen to one of your third party suppliers and this is a perfect example of it. That why FS-ISAC did put out some hardening advice, as we call it. To make yourself more resilient to these types of attacks. We cannot predict what is going to be the next zero-day vulnerability that comes out, but you can do certain things to kind of make yourself a bit more resilient that if it does happen, and unfortunately these things do, hopefully you're in a better place than others to really defend yourself and protect your customer data from it.
Some of the tried and true methods are prevention detection - those types of controls that people can put into place like firewalls and fiddle firewalls. But then others are the practices: the governance over your systems like, is there a policy about taking those files off the system within 24 hours, or something like that? You know, those types of practices that your staff make sure that they know about and follow as well, and then if something does go wrong, having those detection controls in place where you can actually pick them up.
Of course, FS-ISAC is a community, and so one thing we like to say, too, is use that community. Because if somebody is using this product, you know that at least hundreds of other people are using the same product as you. In financial services we have seen quite a few financial services on the Clop data leak site, unfortunately. So you know that if you are seeing this vulnerability, and you know that it's being exploited, chances are some of your peers in the industry are seeing the exact same thing.
So communicate. Talk to each other, you know. Sometimes the early warning is actually from your neighbor, and they're the ones who actually can tell you this is happening. Protect yourself now, and then. You can react to it accordingly, and help each other out as well with best practices.
Mathew Schwartz: That's a great point. Early warning would have been maybe the only thing that helped here in the early days, because Progress Software did issue an alert and a patch pretty quickly, but based on what I've been able to see from the data breach reports, all of them are reporting that the attack happened before the patch was released. We're talking 48 to 72 hours, maybe - so very compressed, an unusually compressed timeline. Great point about policies, practices, procedures, automating what you can do. Certainly, if you use consumer-grade file transfer and you don't pay for it, you get a note saying "this is going to be deleted after 5 days," or whatever. I'm sure you could put those sorts of things into practice at a corporate level. Are there any specific examples you might offer when it comes to the hardening advice that you shared in terms of preventive measures or detective controls that you see organizations using.
Teresa Walsh: Some things are maybe more generic things that you can do internally. But one of the best things you could also do is know your product. You're buying this product. You're subscribing to this product. Read the manual and make sure you understand what's going on. MOVEit actually had an encryption option, so make sure that you're using the encryption options. Make sure you understand how long things stay around on the server - can an ordinary user even delete that off the server? Or do you need somebody else to do it for you? So, just to get to know that product, so you're able to use it in the best way possible.
But yes, absolutely, there are lots of things we can do. We actually released a guide to our members. We always say we're member-led, member-driven, so it's actually members providing these best practices and lessons learned for other members, and some things they can do is - like I mentioned - a firewall. A lot of companies have firewalls these days, and it is something very simple. If you are a larger company, you have teams that are monitoring. If you are aware of IOCs, do you have a SIM that actually can search against these IOCs? Or if you have a managed security service provider, are you talking to them about these types of things and making sure that they're aware? It's very hard with zero days, because obviously - like you just said - it's a very tight, compressed window. You have very limited time to act and unfortunately might have missed the window if the threat actors have already exploited on it.
But you could do things like, you hear a lot about secure by design architecture. You're really looking at all different aspects of your infrastructure, and how you can best protect it. Also zero trust was a nice buzzword not too long ago, and everybody was using it as well, and it's about understanding these types of third parties that are connected to your system and making sure you just don't always assume that every update that's coming from them is going to be clean and that they're going to be protecting their own infrastructure. Obviously, there's a lot of you can do with third party risk management. But have a sense of the types of hardware and software that you're using. There are lots of different things in the toolbox that people can use to get a better understanding of what's connected to their systems, but also how to secure it better.
Mathew Schwartz: It seems, and I don't want to be the back-seat driver here, that there could have been more two-factor authentication used with authorized users and so on. But all of that takes time energy. If you're trying to scale this between different organizations. That can be an impediment. But maybe we'll see organizations, like you say, reading the manual, looking at ways they can approach this. Now, assuming that the likes of Clop will be wielding some kind of a zero day, unless they've prepared to a certain level, it will unfortunately work again.
Teresa Walsh: That's exactly right. I mean, you pointed it out yourself. This is this is not the first time that they've tried this trick and so this won't be the last time, either, especially now that it's so successful. I mean, we're still talking about this month later, because it's still having an impact and theoretically it's probably still making them money as well. So this is something that they can milk and do more in the future. You have a budget for file integrity monitoring systems, or different types of assurance controls, like secure by design.
No matter what your budget is try to do what you can do. Try to educate your user base, your employees. Use each other; like I said, we're a community. Make sure you're talking to people. Make sure you're talking to authorities that can help you out as well. CISA in the United States and NCSC in the U.K., they put a lot of great information, especially for small businesses, on how to protect themselves and those things. There's always the classic balance between frictionless use of your systems and security, and that balance is never going to be an easy one, because at the end of the day you are a business, and you have to kind of keep going and still doing your business without having to have the hassle that sometimes security can be seen as being. There's a lot of guidance out there. But I always just tell people, especially small companies: If you don't know, ask. There's an expert out there; somebody who can help you out.
Mathew Schwartz: Well, Teresa, thank you so much for your guidance and giving us some feedback and best practices to apply, not least for file transfer, secure file transfer software usage in the future.
Teresa Walsh: Thank you so much, Mathew, and thank you for having me on today.
Mathew Schwartz: It's my pleasure, thanks. I've been speaking with Teresa Walsh, global head of intelligence at FS-ISAC. I'm Mathew Schwartz with ISMG thank you for joining us.