While most of its students enjoyed summer break, Colorado State University revealed vast and duplicative exposure to a data breach.
CSU was one of thousands of organizations caught in the flurry of zero-day attacks targeting Progress Software’s MOVEit file-transfer service customers. It wasn’t the first victim to come forward, nor would it be the last.
Yet, what makes CSU unique is, though it didn’t directly use the tool, its data was exposed six times by six different vendors.
CSU is emblematic of just how far-reaching supply chain cyberattacks can be. A spree of attacks in late May against a zero-day vulnerability in MOVEit ballooned into the largest, most significant cyberattack of 2023.
The school wasn’t directly at fault. Rather, it was a bystander in an ecosystem full of security holes that, when exploited, can result in maximum damage.
“There is no indication that the CSU system had more vendors than other companies or universities that were impacted by the data breach on third-party vendors,” Megan Folmar, director of campus communications and engagement, said via email.
Millions of individuals and thousands of organizations impacted by the MOVEit attacks would have had no way of knowing their information was traversing the file-transfer service’s environments.
There’s little victims of these attacks can do, short of keeping paper records, to prevent such colossal exposure. Poorly coded software exists everywhere, and technology vendors are ultimately responsible for the security of the systems they develop and sell.
Progress Software sells dozens of business applications and services that are used by more than 100,000 enterprises globally, yielding a market cap of almost $2.4 billion. MOVEit, one of two file-transfer service brands it sells, allows organizations to send large and oftentimes sensitive files to designated parties.
This wasn’t Progress Software’s only application with multiple vulnerabilities last year. The widely exploited zero-day was one of eight CVEs disclosed in MOVEit since June. Another Progress Software file-transfer service, WS_FTP Server, reported eight CVEs in September as well.
In a sea of business software riddled with security vulnerabilities, Progress Software became a showpiece for the widespread consequences that can accompany code built on an unstable foundation.
The MOVEit attacks are a “perfect example” of where, why and how the cybersecurity industry needs to shift its focus, Jack Cable, senior technical advisor at the Cybersecurity and Infrastructure Security Agency, told Cybersecurity Dive.
“Rarely do we bring into focus what the vendors themselves could have done to eliminate these classes of vulnerabilities being exploited at scale,” Cable said.
What went wrong
MOVEit zero-day exploits directly compromised at least 100 customers, but the actual number of victims swells when the downstream repercussions are considered.
Researchers have pinned all of the exploits against MOVEit to attacks that occurred in late May. All the incidents were linked to exploits of the zero-day vulnerability, CVE-2023-34362, which has a severity rating of 9.8 out of 10, according to researchers. The vulnerability affected all on-premises and cloud-based versions of MOVEit.
“When we discovered the vulnerability in MOVEit Transfer and MOVEit Cloud, we worked quickly to provide initial mitigation strategies, deployed a patch on May 31 that fixed the vulnerability and communicated directly with our customers so they could take action to harden their environments,” a Progress spokesperson said in a statement.
“An advanced and persistent threat actor used a sophisticated, multistage attack to exploit this zero-day vulnerability,” the spokesperson said. Though Progress provided written statements, it declined multiple requests for interviews with Cybersecurity Dive.
Clop, a highly prolific, financially-motivated ransomware group, infiltrated MOVEit environments containing highly sensitive data, and stole it. Those 100 initial compromises led to data breaches at nearly 2,300 organizations, with some victims three- or four-times removed from the file-transfer service.
By the numbers
84%
Percentage of known victim organizations impacted via third-party vendors.
93.3 million
Amount of individual records exposed by MOVEit attacks as of Jan. 1, according to public disclosures.
2,700+
Number of victim organizations impacted by Clop’s exploits of MOVEit as of Jan. 1.
Now, more than six months after Clop’s Memorial Day weekend spree began, breaches or subsequent exposures at more than 2,700 organizations have compromised the personal data of more than 93 million people, according to Cybersecurity Dive’s analysis of data published by Emsisoft and KonBriefing Research, which is built around public disclosures and posts from Clop’s data leak site.
“In terms of the impacted number of organizations and individuals, it’s something that we haven’t seen in a long time,” said Emily Austin, senior researcher and security research manager at Censys. “I can’t think, off the top of my head, of something quite so impactful.”
Clop’s attack spree cascaded downstream
Clop’s attacks were swift and far-reaching. More than 3,000 MOVEit environments were exposed to the internet before the vulnerability was disclosed or patched, according to Censys.
Several hundred MOVEit instances went offline between late May and July, but just under 2,200 environments have remained consistently online since then, Austin said. “Hopefully they’re patched.”
Some of the largest and most damaging compromises linked to MOVEit were disclosed early.
Third-party vendors exposed many colleges to multiple breaches
Each column represents a college that was breached more than once. The third-party organizations responsible are indicated on the far left. Hover to read college names.
An attack against the MOVEit environment operated by the National Student Clearinghouse, which provides educational reporting and verification services, exposed data of 1,009 downstream U.S. universities and colleges, including those with multiple campuses impacted.
NSC exposed the largest number of downstream victims, accounting for more than 1 in 3 of all known impacted organizations. The organization’s use of MOVEit exposed sensitive data held by hundreds of the largest universities in the U.S., including the University of Phoenix and Texas A&M University.
It also caught some of the most prestigious academic institutions in the U.S., including 5 of 8 Ivy League schools. The National Student Clearinghouse did not respond to requests for comment.
CSU was one of those victims impacted by the attack against the National Student Clearinghouse’s MOVEit environment, but it was also compromised through additional, sometimes overlapping third-party compromises elsewhere.
TIAA, National Student Clearinghouse, Corebridge Financial, Genworth Financial, Sun Life and The Hartford all informed CSU of data breaches linked to the MOVEit attacks.
Organizations in the education sector were the most heavily impacted, accounting for 2 in 5 victims. Healthcare organizations comprise 1 in 5 victims, and firms in finance and professional services represent 14% of all victims, according to Emsisoft.
Education organizations were heavily impacted by MOVEit attacks
Breakdown of sectors most affected
A MOVEit breach at government contractor Maximus impacted the most people to date. The personally identifiable information of up to 11.3 million individuals was exposed, including more than 600,000 Medicare beneficiaries, Maximus reported in late July.
Many downstream victims were exposed by accounting firms, consultancies and benefits and pension actuaries.
The personal data of about 769,000 members of the California Public Employees’ Retirement System, the largest pension system in the U.S, was stolen in connection to a MOVEit breach at PBI Research Services.
Three of the big four accounting firms — Deloitte, EY and PwC — were hit too, putting the sensitive customer data they maintain at risk.
“The scale of the attack and the high-profile victims make the MOVEit campaign arguably the most successful public extortion campaign we have seen to date,” said Rick Holland, VP and CISO at Reliaquest.
Nothing compares to scope, sensitivity of exposed data
The size of the attack against MOVEit environments is rivaled by previous data breaches, but it stands out for the breadth and the type of data compromised, according to cybersecurity experts.
“MOVEit may not be the biggest breach, but when you factor in the nature and scope of the data impacted, it is certainly one of, if not the most, significant,” said Brett Callow, threat analyst at Emsisoft.
A cyberattack against Yahoo in 2013 exposed 3 billion user account details and Marriott International in 2018 disclosed a four-year-long data breach of the Starwood reservation platform impacting 500 million customers.
Mass exploits of critical vulnerabilities in 2023, specifically the large-scale compromises of Barracuda email security gateways and Cisco IOS XE devices, also have the potential to be more impactful long term, according to Caitlin Condon, director of vulnerability intelligence at Rapid7.
“The MOVEit attack stands out because its motivation and methods were so starkly clear,” Condon said. “That’s not the case for the Cisco and Barracuda incidents.”
Clop weaponized public concern and increased pressure on its victims to pay ransoms by publishing many of its extortion demands and follow-on disclosures, Condon said.
File-transfer services prime targets
MOVEit is among a trio of file-transfer services exploited by threat actors for ransomware or extortion over a three-month span last year, following attacks against Fortra’s GoAnywhere and IBM Aspera Faspex in March. Clop was responsible for exploits against MOVEit, GoAnywhere and a large-scale zero-day attack on Accellion file-transfer devices in 2020 and 2021.
File-transfer services are an opportunistic attack vector because the records moving across them contain a “treasure trove” of high-value data threat actors can use for extortion or potential corporate espionage, according to Jess Burn, principal analyst at Forrester.
I don’t think we’ve hit the seventh-inning stretch on all of the implications at this time.
Michael Diamond
Independent analyst
MOVEit meets compliance requirements for sensitive record keeping across multiple highly regulated industries, according to Progress, including organizations in healthcare, pharmaceuticals, insurance and financial services.
Progress says the software satisfies data integrity, auditing and privacy concerns raised by the federal law restricting the release of medical information, the Food and Drug Administration, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, consumer financial privacy, and financial record keeping and reporting for corporations.
“As we see disclosures in the media regarding the type of information that has been stolen, we empathize with the individual end-users who have been impacted by this attack,” the Progress spokesperson said. “We are committed to playing a collaborative role in the industry-wide effort to combat cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.”
More pain in the offing
Cybersecurity experts are cautiously optimistic most of the initial damage caused by MOVEit breaches is known. Yet, they remain guarded and concerned about pain that could follow.
Organizations are still disclosing impacts, broadening the scope of damage to downstream organizations and their respective customers.
Some revelations came in the final months of 2023.
Most organizations were affected by MOVEit via third-party vendors
The size of each block depicts the number of downstream breaches attributed to the corresponding third-party vendor.
The healthcare platform provider Welltok disclosed a MOVEit breach impacting 34 organizations in late October, which ultimately exposed PII on 8.5 million people, according to a mid-November update to the U.S. Department of Health and Human Services. This makes it the second-largest MOVEit breach on record, behind Maximus.
An attack against the MOVEit environment used by Delta Dental of California and affiliates impacted 6.9 million people.
Maine, in early November, disclosed the most complete U.S. state-affiliated MOVEit breach to date, one that’s representative of a compromise of almost its entire population with 1.3 million people exposed.
In some cases, individuals’ personal data was exposed multiple times by MOVEit attacks.
The tally of individuals known to be impacted doesn’t yet capture the full extent of compromise because these numbers are limited to public disclosures and filings with government agencies.
“A lot of sensitive information is out there on consumers and businesses in the public and private sectors that can be used in myriad nefarious ways,” said independent analyst Michael Diamond. “I don’t think we’ve hit the seventh-inning stretch on all of the implications at this time.”
Clop’s spree of attacks against MOVEit ensnared a larger pool of victims because the file-transfer service’s customers broadly shared personal and sensitive data maintained by other organizations.
“What’s not known is how many other organizations’ information is included in the terabytes of data that Clop has released,” Emsisoft’s Callow said.
Who takes responsibility?
The expansive challenges lurking in the software supply chain underscore a continued push by federal authorities to require major changes in software design and security features infused into products by default.
CISA, key federal agencies and international partners are advocating for a series of secure-by-design and secure-by-default principles. The objective is to shift the responsibility for security to manufacturers and vendors instead of customers.
The Biden administration’s implementation plan for its national security strategy calls for public-private collaboration to drive the development and adoption of secure-by-design and secure-by-default technology, an effort slated for completion this year.
“We’ve seen ransomware as a service and the increased ability of cyber criminals to leverage often simple software design defects, often simple insecure default configurations that can lead to immense damage across the world,” CISA’s Cable said.
The focus needs to be put on the “software vendors who are actually capable of rooting out these vulnerabilities from the start, and really taking ownership of the security outcomes for their customers,” Cable said.
Much of this damage is outside the control of victim organizations. A business’s security is not just in its own hands or the products it uses, Cable said, but rather the products its vendors use and so on.
Absent major changes in the near term, more cascading attacks and perhaps on a similar scale are extremely likely.
“Every time you see a major incident mentioned it’s described as a wake-up call, and the reality is they don’t really seem to have woken up yet,” Callow said. “We have not done enough to combat the ransomware problem.”
News graphics developer Jasmine Ye Han and visuals editor Shaun Lucas also contributed to this piece.
