Understanding and Mitigating the MOVEit Incidents

Over the last several weeks, attackers have taken advantage of vulnerabilities in MOVEit, a popular file transfer application developed by Progress. Cyber attackers have successfully performed ransomware and exfiltrated data by uploading web shells into vulnerable MOVEit instances deployed worldwide. This breach poses a significant risk, not just due to its scale but also due to its complexity and sophistication.

A New Breed of Cyberattacks

This data ransomware and exfiltration through MOVEit is a form of remote code execution. What makes it uniquely perilous is its divergence from previous supply chain incidents that the cybersecurity community has encountered. This is not the usual “man in the middle” or “dependency tampering”; instead, this is a calculated and tactical intrusion that demonstrates a shift in the strategies employed by attackers.

Patches and Vulnerabilities

Three notable vulnerabilities have been identified thus far in MOVEit instances. Progress, the MOVEit developer, has responded swiftly to these threats by providing patches for each vulnerability. However, the presence of these susceptibilities alone underscores the need for a layered and dynamic approach to security.

Cl0p Comes Forward

Just last week, the Cl0p ransomware group revealed that it had successfully launched ransomware and exfiltration attacks against vulnerable MOVEit instances running at some of the most prominent organizations in the world. Cl0p’s modus operandi is a stark reminder that while addressing known vulnerabilities is critical, staying ahead of the curve and anticipating unknown threats is equally essential.

WAF: Your First Line of Defense

In the wake of these attacks, we have ramped up our efforts to fortify our customers’ defenses. Beginning from the first week of June, we have been continuously updating the signatures of our Web Application Firewalls (WAF). This includes our Cloud WAF (CWAF) and WAF Gateway (WAF GW). All Imperva customers using our WAF have been safe against attacks targeting these vulnerabilities.

RASP: Defense-In-Depth Protection

While WAF provides essential protection at the network, it’s important to recognize that many MOVEit customers deploy MOVEit into environments without network security solutions. Imperva Runtime Application Self-Protection (RASP) can step in to maintain a robust defense system in these scenarios. Imperva has already tested and deployed RASP with MOVEit with our customers with successful results. By doing so, customers have an additional layer of security to their systems.

CISA Recommendations

The US Cybersecurity and Infrastructure Security Agency (CISA) has strongly urged all customers to use a combination of network and application protection in the wake of the MOVEit attacks. This aligns perfectly with Imperva’s efforts to protect our customers through WAF and RASP. By employing a multifaceted protection strategy, we can offer our customers the best chance to stay safe in the increasingly hostile landscape of cyber threats.

Conclusion

In today’s digital age, cybersecurity is not just an option but a necessity. The recent attacks on MOVEit serve as a potent reminder of this. With a combination of network and application protection, along with a proactive approach to threat detection and prevention, Imperva can ensure the safety and integrity of your digital resources in the face of such threats.

As always, we will continue to keep everyone updated on the latest developments and issues surrounding MOVEit and other notable threats.

The post Understanding and Mitigating the MOVEit Incidents appeared first on Blog.