5689 views 7 mins 0 comments

Etiology of a Breach

In News, New Threats
August 27, 2023
Etiology of a Breach
xr:d:DAFszMyW3ZI:3,j:6089267794913500718,t:23082804
In one sense, once you have been breached, what difference does it make as to how it happened?
In another sense, if you know how it happened you can address what steps to take so that it does not happen again.

Most data breaches involve some level of victim human error, which theoretically employee training can address.  Human error can take the form of clicking on a link, where the email address of the sender is unknown to the person clicking on the link.  Malware then enters the scene.  Another common human error scenario involves phishing emails, where an employee is induced to provide information, such as credentials for logging on.

While human error may be the most common way threat actors gain access to their victim’s network (attack vector) , there are many other ways as well.  Another common attack vector involves exploiting a vulnerability in software or hardware that has not been fixed.  If the vulnerability is unknown to a software manufacturer or vendor at the time of the attack – i.e., if it is what is called a zero-day attack (https://usa.kaspersky.com/resource-center/definitions/zero-day-exploit) – it can compromise numerous victims until a patch or fix is developed and pushed out to customers urgently.

This section highlights data breaches where the attack vector does not involve human error on the part of the victim.

1) The MOVEit Cyberattack

One of the most devastating cyberattacks of 2023 involved exploiting a zero-day vulnerability in software. In May of 2023, two years after a Russian ransomware gang known as Clop first discovered an unpatched vulnerability in MOVEit (https://www.progress.com/moveit ) software by Progress Software, the threat actors launched their attack.

MOVEit is file transfer software used by businesses to transfer files over FTP (File Transfer Protocol) or SFTP (Secure File Transfer Protocol).  Businesses and schools use such software to transfer files to and from vendors. Hospitals and medical practices may use it to transfer patient records to business associates who handle insurance billing for the covered entities.

In the Clop/MOVEit incident, some entities found themselves being notified by two or more of their vendors that their customer, student, employee, or patient data had been acquired by the attackers.

As one example, some universities found themselves notified by the National Student Clearinghouse that students who applied for federally funded student loans had their data stolen by the attackers, while the universities were also being notified by TIAA-CREF that university faculty receiving retirement or pension benefits had their data stolen.  In some cases, universities were also notified by Corebridge Financial when data for some employees had been sent to Corebridge Financial to support retirement services. And if three vendors notifying a university of a breach seems overwhelming, how about four? Some universities, like the University of Buffalo, were also notified by United Healthcare Student Resources that students enrolled in health insurance plans through the university or SUNY had been compromised: information that included names, date of births, addresses, phone numbers, email addresses, plan identification numbers, policy information, student identification numbers, claims information, including claim numbers, provider information, dates of services, diagnosis codes, prescription information, and claims financial information. For a subset of the impacted students, the information involved also contained Social Security numbers or national identification numbers.

If the MOVEit breach sounds like a costly breach, it becomes even more costly when you learn that because Progress refused to pay Clop’s ransom demands not to leak the stolen data, Clop has attempted to directly extort MOVEit customers.  Some of those entities have seemingly paid Clop undisclosed amounts, but those who haven’t paid have been finding their students’, employees,’ customers’ or patients’ data leaked on the dark web with a threat that “On 15 August we start publishing of every company on list that do not contact. You data is going to publishing on clearweb and Tor and for large company we also create clearweb URL to help google index you data. Also all data go on torrent and speed of download is very quick. YOU NOT HIDING MORE.

The MOVEit breach was actually the third significant file transfer software vulnerability exploit by Clop in the past few years. Previous attacks of theirs involved the Accellion breaches in 2020 and 2021 (https://purplesec.us/accellion-data-breach-explained/), and the Fortra GoAnywhere MFT breach in January 2023 (https://www.bleepingcomputer.com/news/security/fortra-shares-findings-on-goanywhere-mft-zero-day-attacks/).

Each of those two previous breaches impacted more than 100 companies, but the MOVEit breach was greater. The total number of victim entities and total number of people affected by the Clop MOVEit breach is not yet known as the reports are still coming in every day, but EMSISOFT (https://www.emsisoft.com/en/blog/44123/unpacking-the-moveit-breach-statistics-and-analysis/) has been tracking the incident. As of August 11, their counter stood at 649 organizations affected, and 41,473,642 individuals.

The Clop attacks exploiting file transfer software vulnerabilities serve as a reminder that many costly breaches do not involve threat actors encrypting data. Clop simply exfiltrates a lot of sensitive information and then demands a ransom for them to delete it from their server and not leak it publicly. Having a good backup system has no effect on this type of attack (although it’s important for other reasons and possible attacks). Similarly, paying ransom to criminals who promise that they will delete your data is like giving the burglar who stole your car a few thousand dollars because they promise if you pay them, they will return it.