MOVEit supply chain vulnerability ploughs on.  4 months ago, I (Ian Simons, Cyber & Data Protection Director and CISO), commented on Kroll’s excellent and illuminating research into Cl0p ransomware and the MOVEit vulnerabilities. In their investigation, Kroll discovered activity that indicated the MOVEit software had been compromised in 2021.

MOVEit is a secure file transfer platform made by Progress Software Corporation. The platform is used by thousands of governments, financial institutions and other public and private sector bodies all around the world to send and receive information.

Whilst there was an initial flurry of compromises and data leaks and Progress Software released a patch to address these vulnerabilities, some organisations are still vulnerable.

It is estimated by Emsisoft, a NZ based anti-malware company, that since late May 2023, 2552 organisations have now been breached (that we know of – very likely to be higher), affecting over 65 million individuals. Emsisoft predict that this number will only grow as more victims are compromised.

The lack of timely software patching is number 5 on the list of the Top Ten Cybersecurity Misconfigurations released by the NSA this month, however some of the breaches resulting from the vulnerabilities in the MOVEit software are not necessarily the victim organisation’s fault: due to the complexity of supply chains with vendors it may have been a vendor that used a contractor that used a subcontractor who embedded MOVEit in their code.

This throws into stark relief the problem of securing your supply chain, ensuring the suppliers are doing due diligence on both themselves and their suppliers; how can we make this work?

There are a number of key concepts when it comes to securing your supply chain:

  • Understanding what needs to be protected and why
  • Know who the suppliers are and build an understanding of their security
  • Understand the risk posed by the elements defined in the first two steps
  • Communicate your security requirements to your suppliers
  • Set minimum standards with suppliers

Cyber & Data Protection are able to offer a comprehensive Cyber Risk Assessment package that consists of a deep-dive into organisations’ process and controls that will not only enhance supply chain security, but also have a positive effect on systems, as well as increasing employees’ (at all levels) understanding of potential threats, leading to a much greater confidence in the enterprise’s defences.