Skip to navigation Skip to main content Skip to footer

Reflections on the MOVEit Data Breach a Year on

03 June 2024

This time last year, threat actors around the globe sought to take advantage of a vulnerability in the popular managed file transfer platform, MOVEit.

Despite the tool being patched by its developers in May, one particular criminal group capitalised on any delay by organisations and businesses to patch the software throughout June and July. The Cl0P ransomware group took the opportunity to attack end-user organisations at a massive scale, foregoing their usual tactic of encrypting data to simply steal it and hold it to ransom.

The attack’s scale and impact earned it the title of the largest attack in recent history. The full extent of the damage is still unfolding, but it’s clear that the MOVEit breach left a lasting mark on the cyber security landscape.

Here, Global Head of Threat Intelligence, Matt Hull, shares his thoughts on the impact of the attacks, including the effects on the victims and how organisations have worked to resolve any issues caused by the attack over the last year and build stronger defences.

Who was affected?

This was not the first time that Cl0P took advantage of a vulnerability like this. Earlier in 2023, they exploited a vulnerability in another managed file transfer software, GoAnywhere.

According to research, over 2,500 organisations have been affected to date, with new victims being reported as recently as this month. Additionally, the personal information of nearly 90 million people may have been compromised. 

One thing that came from the incidents over the summer of 2023 is that ransomware once again became front and centre of people's minds as a true cyber threat. It also proved to many organisations that even though they might not be directly targeted by cyber criminals, their supply chain and other third parties could be – with the potential for significant collateral impact.

Increased need for cyber resilience

Some research suggests that following the exploit of MOVEit, that organisations started to take a firmer approach to tackling ransomware, investing more time and money at controls to mitigate the threat. However, the threat from ransomware remains as relevant as ever, with still record numbers of victims each month – it is clear there is still work to do.

Long term costs

One impact of incidents such as these is the cost. Not just the cost of potentially paying a ransom (or considering whether you should), but the cost of rebuilding the organisation itself. There will be the costs of the initial response, potential regulatory fines, overtime for staff, all while trying to keep the organisation operating. 

Some organisations are able to do things quicker than others, but some will be balancing budgets, stakeholders and other priorities. This time-to-recovery will also impact the company reputation for months, potentially years down the line.

We have not seen any specific examples of where data exfiltrated as a result of Cl0P's actions has been used, but generally speaking this stolen data will mostly be used by criminals to conduct fraud. Possessing personally identifiable information such as names, contact information, addresses and passwords enables criminals to impersonate us, steal our identities, access our online accounts, and use this access to steal money, move money, and purchase things.

What can we learn?

The scale of the MOVEit breach, and the speed at which criminal actors, including Cl0P, took advantage of it, made it one of the most (if not the most) significant of 2023. The fact that MOVEit was so widely deployed across the globe, by tens of thousands of organisations, made it a prime target. It had a global impact, and clearly highlighted how a company's supply chain is as much of an attack vector as the company itself. The approach of exploiting one application allows threat actors to infect thousands of victims at a time.

While the attack was not quite as damaging as Solarwinds, there are lessons to be learned about supply chain risk, patch management, and overall cyber resilience.

Will we see an incident similar to this? Almost certainly. The bad guys only need to be successful once, as defenders we need to be successful every time. 

What we are seeing, partly as a result of Cl0P's successes, is a gradual shift away from the encrypting of data to purely data exfiltration. Data is the most valuable commodity for cyber criminals - it can be leveraged in multiple ways when extorting the victim organisation. Protecting this data is vital.

Contact

NCC Group Press Office

All media enquires relating to NCC Group plc.

press@nccgroup.com

+44 7721577574