Coming to a Magic Quadrant near you

Hackers coming to a magic quadrant near you

The MOVEit breach has resulted in such a large amount of data theft that we'll likely be hearing about the fallout for years.

If you've been living in a cave, here's the backstory.

• In July 2023, A ransomware group known as CL0P exploited a zero-day vulnerability in a famous file-sharing software called MOVEit Transfer.
• MOVEit Transfer allows companies to exchange files and data between servers, systems and applications within and between organisations, as well as between groups and individuals using a common shared folder with simple browser access for users.
• The vulnerability allowed the ransomware group to gain access to many organisations that had public-facing servers with the MOVEit Transfer software installed.

Something important to understand is - this isn't the first time CL0P has targeted software like MOVEit as part of a ransomware campaign.

This attack is the fourth in a series attributed directly to CL0P.

This gives us critical insights into what targets criminals are interested in and, therefore, the areas we should focus our proactive, defensive efforts.

See, while companies and security people are busy commenting from the sidelines on social media, CL0P and others like them are likely lining up their next targets.

When you think about it, it's a smart business move.

Unofficially CL0P has already profited up to $100M from the attack on MOVEit users alone.

The ROI for hackers is just too good to ignore.

Think about it like this.

• 1 vulnerability
• 1 vendor
• 33 confirmed breach disclosures
• 340 organisations
• 1000s GB of stolen data
• 18 million individuals impacted
• 100 million dollars in profit

Looking at it from that angle, if you're a ransomware crew, what do you do?

Rinse & repeat!

This is where understanding the attacker's perspective is key to protecting yourself.

You see a magic quadrant, while hackers see a magic list of targets

To illustrate this, let's look at some major players in the managed file transfer (MFT) sector.

When you look at something like Gartner, you will see the top companies in any given space.

Now here's what attackers see when they look at a magic quadrant map. It's not a matter of who's the best or even who's the easiest to hack.

All it comes down to is, if it's on the magic quadrant, there's gonna be more victims using it, which means more profit.

In their mind, it's not about IF they will break in, it's about WHEN.

Hence illustrated below, to groups like CL0P, there's only two types of managed file transfer vendors.

1. Those already hacked by CL0P
2. Those yet to be hacked by CL0P

With this perspective Gartner 's magic quadrant becomes a dinner menu.

You need to understand, the security of your vendors IS the security of your business.

So what are you doing to to prepare for this?

Many of these attacks rely on finding a zero-day vulnerability in a particular vendors software, then spraying the internet hoping to find publicly exposed versions of the said vendors software.

• Do you REALLY need to expose the software to the internet?
• Is there a world in which your users can access the software via the corporate VPN?

As seen with CL0P's attacks, in many cases they had exfiltrated 100's of GB's of files.

• Do you have proper monitoring on this server to monitor & detect for data exfiltration?
• What do you have in place as a network failsafe if you can only detect something mid-exfiltration?

Once again, there's a clear pattern of software like MOVEit Transfer having vulnerabilities that have existed in the code without being found during the vendors internal security activities.

History has shown that's not good enough to rely on the vendors to protect their own software.

As I called out in a previous post MOVEit Transfer has had over 10 SQL Injection vulnerabilities over the last 3 years ALONE.

How many vulns do you think still exist in the vendor tech you're using right now?

• Have you tried to hack the vendor software yourself?

If you are using vendor software and you do want to see if it can be hacked, hit me up on LinkedIn or reach out via email: [email protected]