In Q2 2023, Kroll reported a notable shift towards increased supply chain risk, largely driven by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability. The MOVEit exploitation rendered even organizations with mature cybersecurity controls helpless and vulnerable to financial and reputational damage. Only a handful were able to detect the exfiltration, and even fewer could handle the consequences once a trusted partner fell victim.
In this virtual briefing, Kroll experts George Glass and Scott Downie examine the exploitation in detail and highlight lessons learned from over 50 incident response (IR) investigations handled by Kroll. They also brief participants on the complexities of third-party investigations, litigation considerations, breach notification challenges and the steps chief information security officers (CISOs) should take to raise preparedness.
The briefing covers:
“In July of 2021, we saw from the data we had collected, that CLOP was developing or starting to develop and exploit for MOVEit, or at least showing careful attention to MOVEit applications—two years ahead of their mass exploit campaign.”– George Glass
After several members of the CLOP gang were arrested in 2019, the group has tended to favor data exfiltration and extortion. Over the years, the group has famously exploited vulnerabilities in Accellion, SolarWinds Serv-U and GoAnywhere all of which have affected hundreds if not thousands of organizations. However, all of this was only a precursor to their exploitation of the MOVEit transfer vulnerability. Let us see how.
“One of the things that we have noticed is that data extortion has become a lucrative business. Threat actors no longer must encrypt software and utilize double extortion tactics. They simply leverage data exfiltration and then ransoming that data back for payment.” – Scott Downie
Leveraging the Kroll Intrusion Lifecycle, Scott highlights how threat actors are changing their tactics based on the current threat landscape and simplifying their mode of attack to get paid with less effort. Do not miss this lesson.
“In 2022 and 2023, we have seen threat actors moving a lot quicker to get to their end goal. From an average dwell time of two to three days, we see threat actors with a dwell time of 15 minutes from initial exploit to data exfiltration, which is very consistent with an automated scripted attack.” – Scott Downie
One of the reasons for the wide impact of the MOVEit exfiltration was the automation fueling it. The automated script not only allowed threat actors to steal data from a broad array of victims but also allowed them to do so quickly, often in less than one hour, using two key exfiltration methods, as Scott explains.
What does your organization have in place to minimize the damage when an incident happens? Having handled thousands of incident response cases, Scott recommends empowering security operations teams with endpoint, network and behavioral monitoring capabilities to identify various attack tactics and augment response capabilities.
Scott and George fielded questions from the audience about lessons learned from the MOVEit vulnerability and how organizations can improve their security posture. Hear what they were.
by Devon Ackerman, Steven Coffey, Josh Mitchell, Dan Cox
by Scott Downie, Devon Ackerman, George Glass, Dave Truman
by Rafael De Lima, Michael Cowley
by Laurie Iacono, Keith Wojcieszek, George Glass
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.