MOVEit Vulnerability: How to Mitigate Risk from Impacted Vendors

Use this free questionnaire to understand the impact of the MOVEit breach on your vendors, and follow our three best practices to mitigate your risk.
By:
Scott Lang
,
VP, Product Marketing
June 19, 2023
Share:
Blog moveit 0623

On May 31, 2023, Progress Software disclosed a vulnerability that enables unauthenticated actors to access its MOVEit® Transfer database and execute SQL statements to alter or delete information. MOVEit Transfer is a managed file transfer software that is part of the Progress MOVEit cloud platform used to consolidate all file transfer activities into one system.

Since the disclosure, cybercriminal gang Clop have exploited the vulnerability and used it to target a wide-ranging number of organizations across multiple industries and geographies, including HR software provider Zellis, the BBC, the government of Nova Scotia, and many others. Although Progress Software has patched the vulnerability, Clop continues to reveal new victims.

As with the SolarWinds, Kaseya, LastPass, and the similar Accellion attacks, it’s critical that third-party risk management professionals understand which of their vendors could be exposed to the MOVEit vulnerability to reduce the likelihood and severity of an attack on their own IT infrastructures or exposure of their data.

In this post, we recommend eight questions to ask your third-party vendors to determine their usage of MOVEit and understand their response to any related security incidents. We also share three best practices to better automate your organization’s third-party incident response.

8 Questions to Ask Vendors and Suppliers About MOVEit

Use this brief assessment to determine your third-party vendors’ (and therefore your organization’s) exposure to the MOVEit vulnerability. You can then establish risk weighting by answer to score criticality of exposure and focus on the highest-risk vendors.

Questions Potential Responses

1) Does the organization utilize the MOVEit Transfer or MOVEit Cloud managed file transfer software?

Please select one of the following:

a) Yes, the organization makes use of the MOVEit Transfer or Cloud solution.

b) No, the organization does not make use of the MOVEit Transfer or Cloud solution.

2) Has the organization been impacted by the MOVEit SQL injection vulnerability?

Help text:

Significant impact: The vulnerability has caused a loss of confidentiality or integrity of data.

High impact: System availability has been periodically lost, and some loss of confidentiality or integrity of data.

Low impact: No loss of confidentiality or integrity of data; minimal or no disruption to system availability.

Please select one of the following:

a) There has been significant impact to our critical systems, applications or information.

b) There is a high level of impact to our critical systems, applications or information.

c) There has been a low level of impact to our critical systems, applications or information.

d) The cyber-attack has had no impact to our critical systems, applications or information.

3) Where MOVEit Transfer is in use, has the organization taken the recommended steps from the solution provider (Progress Software) to address the vulnerability?

Help text: Organizations should modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 prior to applying the latest patches. Here is a list of Indicators of Compromise and recommended steps.

Please select all that apply.

a) We have disabled all HTTP and HTTPs traffic to the MOVEit Transfer environment.

b) We have taken steps to review, delete and reset service account credentials.

c) We have applied the latest patches, directly from the PROGRESS website, and relevant to our MOVEit Transfer version.

d) We have conducted continuous monitoring of the network, endpoints, and logs for Indicators of Compromise (IoC).

4) Where MOVEit Cloud is in use, has the organization taken the recommended steps from the solution provider (Progress Software) to address the vulnerability?

Please select all that apply.

a) We have reviewed our audit logs for signs of unexpected or unusual file downloads.

b) We have conducted reviews of IP addresses listed within the CVE file.

5) Does the compromise affect critical services delivered to our organization?

Please select one of the following:

a) Yes.

b) No.

6) Who is designated as the point of contact who can respond to additional queries?

Please state the key contact for managing information and cybersecurity incidents.

Name:

Title:

Email:

Phone:

7) Has the organization applied the remediation and patching steps referenced above and recommended by Progress Software?

Help text: A new vulnerability has been detected in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database. The solution provider (Progress Software) has recommended that all organizations affected update to the latest patches, which were released on June 9.

Please select one of the following:

a) Yes, we have applied the remediation published for the May 2023 vulnerabilities.

b) No, we have not currently applied the remediation published for the May 2023 vulnerabilities.

8) Following the guidelines from Progress Software, has the organization applied the patches?

Help text: Application of the June 9 patch can be completed in different installation paths (DLL vs. full installer). This MOVEit Transfer Knowledge Base Article sets out the steps and versions requiring updates.

Please select one of the following:

a) We have applied the latest patches, directly from the Progress Software website, and relevant to our MOVEit Transfer version.

b) We have not currently applied the patches recommended by Progress Software.

3 Best Practices for Mitigating Risks from MOVEit and Other Third-Party Breaches

Although it is not possible to eliminate all risk from every vendor relationship, your third-party risk management program can deliver the visibility and automation necessary to proactively find and mitigate the risks that can disrupt your business. Start with these three steps:

1. Identify vendors that could be using the impacted technology

Knowing which vendors use an impacted technology requires knowing who your vendors are in the first place – and that means building a centralized vendor inventory. You can’t accomplish this by using spreadsheets, or by delegating vendor management to line-of-business teams. It has to be done centrally in a system accessible by everyone involved in your vendor management initiatives. Your central system of record should allow imports of vendor profile data from any existing spreadsheets or via an API connection to your current procurement solution.

Once you have centralized all your vendors, use vendor questionnaires supported by passive scanning capabilities to help you identify fourth-party technology relationships. In this particular case, this exercise would reveal which vendors use MOVEit. Collecting information about fourth-party technologies deployed in your vendor ecosystem helps to identify organizations using the impacted technology, so you can prioritize which of your vendors require further assessments.

2. Issue event-specific risk assessments

Once you have identified vendors with the impacted technology deployed in their environments, engage them with simple, targeted assessments that align with known security standards and best practices such as NIST 800-161 and ISO 27036. Results from these assessments will help you target remediations necessary to close potential security gaps. Good assessment solutions will provide built-in recommendations to speed remediation and quickly close those gaps.

Start your event-specific assessment based on the eight questions in the section above, weighting answers according to your organization’s risk tolerance. Please note: These are basic questions meant to expose some initial information. Your organization may choose to ask different or additional questions.

3. Continuously monitor impacted vendors

It’s important to be continuously vigilant; not only for risks stemming from the MOVEit attack, but also for those coming from the next attack. Start by monitoring the Internet and dark web using continuous cyber monitoring to reveal listings of stolen credentials for sale and other signals of an impending security incident.

Your monitoring efforts should cover criminal forums, onion pages, dark web special access forums, threat feeds, paste sites for leaked credentials, security communities, code repositories, and vulnerability and hack/breach databases, and negative news.

You can monitor multiple individual sources – or you can use a solution that unifies insights from multiple sources, centralizes all risk data, and makes it visible to key stakeholders. The latter approach enables you to correlate the results of continuous monitoring with risk assessment answers to validate whether vendors have controls in place or not.

9 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Next Steps: Activate Your Third-Party Incident Response Program

If a cybersecurity incident occurred in your vendor ecosystem, would you be able to quickly understand its implications and activate an incident response plan? Time is of the essence in incident response, so being more proactive with a defined incident response plan will shorten the time to discover and mitigate potential vendor problems. A programmatic third-party incident response plan should include:

  • A centrally managed database of vendors and the technologies they rely on
  • Pre-built business resilience, continuity and security assessments to gauge the likelihood and impact of an incident
  • Scoring and weighting to help focus on the most important risks
  • Built-in recommendations to remediate potential vulnerabilities
  • Stakeholder-specific reporting to answer the inevitable board request

For more on how Prevalent can help your organization accelerate its discovery and mitigation of third-party risks, request a demo today.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo