Topping our headlines is the MOVEit breach and news of a third critical SQL injection flaw in roughly a month. This latest vulnerability could allow “an unauthenticated attacker to submit a crafted payload to a MOVEit Transfer application endpoint, which could result in modification and disclosure of MOVEit database content,” as noted in a Progress Software advisory. Progress Software first disclosed the breach of its MOVEit managed file transfer software on May 31, although security researchers found evidence suggesting that the exploitation may have started two years ago.
So far, more than 100 organizations globally have been impacted by the hacking spree, and that number is expected to grow. The attack is attributed to the Clop ransomware group; the victims are high-profile organizations predominantly in the US. Confirmed victims include the US Department of Energy, Oregon’s Department of Transportation, the Nova Scotia government, British Airways, Shell Oil, the Illinois Department of Innovation and Technology, and the Minnesota Department of Education, to name just a few.
Victims have been instructed to contact the Clop group and begin ransom negotiations, and if history repeats itself, the Clop group has been known to demand multi-million dollar payments. If an organization does not pay, Clop has threatened to name, shame, and leak the targeted organization’s data on the dark web. In an interesting development, no ransom demands have been made of federal agencies, and hackers wrote in all caps on the dark website, “If you are a government, city or police service, do not worry, we erased all your data. You do not need to contact us. We have no interest in exposing such information.”
This attack is believed to be opportunistic, with 31% of the publicly exposed victims in the financial sector, 16% in healthcare, and 9% in technology. CISA is providing support to federal agencies that experienced intrusions to understand the impacts and assist with timely remediation. Progress Software is advising customers to disable HTTP and HTTPS traffic to allow for local host access only, then apply the available patches before re-enabling HTTP and HTTPS traffic. And the US State Department is offering a $10 million bounty on the Clop gang or any other malicious cyber actors under the control of a foreign government targeting US critical infrastructure. Send a tip, and you could be eligible for a reward.
LastPass Reflections and Regrets
So far, this year has been a quiet period for LastPass, and CEO Karim Toubba is now publicly reflecting and sharing his regrets over the 2022 high-profile security incident.
Last August, attackers breached the password manager’s systems, stealing portions of its source code and some proprietary technical information. Initially, it was reported that threat actors did not access the data of LastPass’s 33 million registered users. However, months later, LastPass revealed that a cloud-based backup of all customer vault data, including encrypted passwords, usernames, and form-filled data, was stolen. Master passwords, which are not stored or maintained by LastPass, were not compromised, the saving grace that prevented a full-blown catastrophe.
So what were the lessons learned from the incident? Toubba told Cybersecurity Dive in a phone interview that LastPass “got the transparency piece right” but should have shared information more quickly and not waited until all the incident information was pieced together.
LastPass hasn’t observed any malicious activity since late October 2022, nor are they aware of any customers that experienced a follow-on compromise due to the stolen data. However, LastPass is still picking up the pieces from lost business and a tarnished reputation. Accordingly, Toubba has been on a “listening tour,” trying to earn back customer trust, promising to be more transparent going forward.
NIST Proposal to Update SP 800-171
NIST released a proposal to update the information security controls outlined in SP 800-171. NIST SP 800-171 was first published in 2015 and outlines the technical, physical, and administrative security controls private-sector companies should implement and maintain to protect certain types of government information. Due to the flexible approach to information security, NIST SP 800-171 has become a key cybersecurity standard for businesses of all kinds. Now, with a notable surge in attacks and increased impact on both private and public companies, it’s time to evolve the framework.
The proposed updates to SP 800-171 primarily aim to enhance the alignment of security controls with other NIST guidelines relevant to the federal government. Additionally, the changes will provide more detailed descriptions of the controls, eliminating ambiguity and promoting more effective implementation.
While not the primary focus, the updates also address incident response, clarifying the incident response plans and controls that an organization should have in place. For example, the NIST proposal emphasizes using checklists, tabletop exercises, and other simulations to test a response plan. NIST also adds new guidance concerning how organizations can use qualitative and quantitative data to determine the effectiveness of incident response processes, and it also encourages testing and measuring the speed at which an organization can launch its incident response teams to improve the efficiency and effectiveness of incident recovery.
Get Cyber Risk Intel delivered to your inbox each week: