MOVEit Breach Victims Continue to Come to Light

The MOVEit Transfer breach was first reported on May 31, and the fallout from the incident continues. National Student Clearinghouse, an educational nonprofit, is among the recent victims to release a notice of a data breach related to the MOVEit vulnerability.

“I really strongly suspect we're not done seeing the fallout from this,” Emily Austin, senior security researcher at threat intelligence platform Censys, tells InformationWeek.

What is the scope of the National Student Clearinghouse breach, and could incidents like the initial MOVEit breach happen again?

The National Student Clearninghouse Breach

Progress Software, the company behind the MOVEit managed filed transfer (MFT) tool, informed National Student Clearninghouse of its cybersecurity incident on May 31, according to its notice of data breach letter. The nonprofit initiated an investigation and determined on June 20 that an unauthorized party obtained data from its MOVEit environment. The letter lists information impacted by the breach, including names, dates of birth, contact information, Social Security numbers, student ID numbers, and school-related records.

National Student Clearninghouse provides degree verification, research, data exchange, and educational reporting services. It serves 3,600 colleges and universities; 97% of students at public and private institutions are enrolled by its participants, according to the nonprofit’s website. Close to 900 educational institutions were impacted by this breach.

Related:Tesla Insider Data Breach Exposed Over 75,000

National Student Clearinghouse has applied three security patches released by Progress Software, and it is offering free identify monitoring services for two years.

A Ripple Effect

Censys has been closely following the MOVEit breach since it was first announced. Censys has observed the number of exposed MOVEit Transfer instances declining. On June 2, it identified 3,000 hosts exposed to the internet and running MOVEit. By June 7, that number had dropped to 2,600.

Austin tells InformationWeek that the breach is moving into a new phase. “Over the last month or so, we've started to see this shift…in MOVEit from being…a one to one, like a company to an instance. Now, we're seeing it as more of a little bit of a supply chain issue,” she explains.

As the breach ripples outward, organizations that did not use MOVEit are being impacted because they work with vendors that do use the MFT tool. In August, the Colorado Department of Health Care Policy and Financing (HCPF) announced that the personal health data of 4 million people was stolen. Its third-party vendor IBM uses MOVEit to transfer HCPF data files, according to the data security incident notice.

Related:Former Uber CSO Sentenced to Probation, Fined for Data Breach Cover-Up

“While HCPF confirmed that no HCPF systems or databases were impacted, on June 13, 2023, the investigation identified that certain HCPF files on the MOVEit application used by IBM were accessed by the unauthorized actor on or about May 28, 2023,” according to the notice.

Information increasingly flows through a complicated ecosystem, and just one vulnerability can have far-reaching consequences, like the MOVEit breach.

“There's this information supply chain and the data is going to take lots of hops along that information supply chain and any point in that supply chain could have a vulnerability or multiple points,” says Gregory Hoffer, CEO of MFT solutions company Coviant Software.

MFT Vendors and Threat Actor Motivations

MOVEit is not the only MFT tool to be targeted by threat actors. The Clop ransomware gang is linked to the MOVEit breach, and the same group exploited a zero-day vulnerability in the MFT solution GoAnywhere at the beginning of this year. In 2020 and 2021, Clop “...used several zero-day exploits to install a web shell named DEWMODE on internet-facing Accellion FTA servers,” according to the Cybersecurity and Infrastructure Security Agency (CISA).

Related:MOVEit Breach Continues to Snap Up Victims

MFT tools offer organizations a secure way to transfer sensitive, and therefore valuable, information. But organizations must expose their networks to outside entities to execute that transfer.

“We all know the firewalls keep us safe and secure in the castle with the moat around it, but MFT is almost like that drawbridge you have to lower to let people in and out. We need to be paying a lot more attention to that drawbridge and making sure that it is secure as it can be,” says Hoffer.”

He expects that threat actors are going to be looking at other MFT vendors for more vulnerabilities to exploit.

Additionally, Austin anticipates that threat actors may increasingly target enterprise back-office software. In April, Clop and LockBit ransomware were tied to attacks on print management software PaperCut, according to Bleeping Computer.

"This wasn't a smash and grab, extortion kind of thing. They didn't necessarily steal data, but instead they used Paper Cut, the print server software exposed to the internet…to actually get access to organizations. And they were able to install remote management software on these hosts to kind of give them the back door,” says Austin.

Financially motivated threat actors likely believe other kinds of web-based project management tools or data transfer tools that facilitate business operations represent a landscape ripe for potential exploitation.

Cybersecurity and Limited Resources

Raj Ananthanpillai, founder and CEO of identity and screening company Trua, argues that there needs to be a paradigm shift in the way organizations collect and store data. “Why am I collecting and storing that information to begin with? What am I trying to accomplish, and can I accomplish the same thing using a different method?” he asks.

But for now, personal data is prolific, and organizations are tasked with safeguarding it, even if they have limited resources to do so. What can nonprofits and other organizations without big cybersecurity budgets do?

Organizations can take steps to minimize third-party risk by vetting the vendors they select. “Don't just blindly trust your vendor. Make sure you [do] some diligence and understand the security posture of that company,” Hoffer recommends.

Darren Guccione, CEO And co-founder of Keeper Security, a passwords and secrets management company, explains the importance of performing a gap analysis against a trusted cybersecurity framework.

“For a small organization, this may not be as daunting as it sounds. It could be as simple as listing the framework controls as a checklist and asking, ‘Do we currently perform this task?’ Then, they can mark it yes or no. The ‘no’ items are the security risks that should be addressed,” he explains in emailed comments.

Of course, eliminating all risk is impossible, which means all organizations also need robust incident response plans.