More than 100 global enterprises have been hit by the Cl0p ransomware gang from its hack of the MOVEit file transfer protocol. Victims include industry giants like Shell, the British Broadcasting Corp. (BBC), British Airways, and government entities like the U.S. Department of Energy, which oversees nuclear programs, with the numbers continuing to climb.
Here's what businesses should know about the hack and how they should respond.
MOVEit is a data-transfer tool developed by Progress Software that enables businesses to send large volumes of data over the Internet. A typical transfer involves sending data from a user's account to a web server and then downloading it to another user's account.
A Russian hacker group Cl0p claims to have exploited a vulnerability in MOVEit to gain unauthorized access to the data servers, resulting in the exfiltration of millions of records. Cl0p has posted a list of potential targets on the Dark Web and is threatening to publish the stolen data unless the affected organizations pay a ransom.
It is crucial to understand the nature of this attack. While some media outlets have labelled it as a ransomware attack, it is not a traditional one where hackers lock an organization's systems and demand payment for their release. Instead, Cl0p is holding the stolen data hostage and threatening to publish or sell it unless the impacted organizations comply.
The attackers used a previously undisclosed or “zero-day” flaw in the MOVEit file-transfer program sold by Progress Software to thousands of clients globally. Soon after the attacks commenced, Progress identified the vulnerability in its software and offered a patch in late May, though not all clients implemented it.
1. Patch the software ASAP
Only download the software directly from Progress Software and watch for any subsequent updates on vulnerabilities and patches. Unpatched software may still be vulnerable.
2. Change logins
All login credentials must be updated. Consider adding two-factor authentication or a password manager if not currently used.
3. Assess the damage
While the exact start date is unknown, the hack is thought to have occurred in late winter or early spring of 2023. Examine all MOVEit transfer records since January 1, 2023, as well as the data that was transferred. Do not assume that paying a ransom will keep your data safe. Hackers may take your money and sell the information nonetheless.
4. Alert affected customers
Failing to disclose knowledge of a data breach can result in government fines, lawsuits, and other serious consequences. Regarding data theft, it is always better to be cautious and ensure that victims are notified, rather than risking the discovery of a failure to do so.
5. Increase monitoring
Be on the lookout for new or abnormal behaviour such as an increased number of login attempts, new remote login attempts or very small charges hitting bank accounts or debit/credit cards. These are possible indicators of attackers trying to validate stolen credentials before launching a broader attack.
6. Conduct employee training and reinforce best practices
Training will help employees identify and respond to risks and potentially reduce the impact of an attack. Ensure that employees know the importance of cybersecurity and best practices, such as not clicking on suspicious links or emails.
7. Engage a cybersecurity specialist
Experienced professionals are invaluable when it comes to mitigating risks and preventing cyberattacks. A cybersecurity specialist can help identify areas of risk, develop a security plan and implement the necessary measures to protect your business.
Have you or your organization been affected by the MOVEit hack? Contact us here to see how we can help.