Organisations should not rely on vendors to provide secure products – additional monitoring should be put around an application, especially if it is related to other systems. Monitoring in front of filesharing tools is a must. In the event of a suspected incident, network monitoring data should be used to validate any IoCs (Indicators of Compromise) provided by the vendor.
As part of a well-managed detective capability, logs should be consumed from a variety of sources. File sharing applications are no exception to this, and this should be layered with network monitoring in the event the application is compromised, and the logs do not reflect the malicious activity.
Evolving Threat Actors – patience is a virtue for now…
In recent years we have seen that threat actors are typically impatient, and the corresponding organisation is often unstructured. This is evidenced by several breakaway threat actor groups that we have seen over the past 24 months.
In this current case CL0P (group behind MOVEit ) are more organised and there are reports that they have been testing the MOVEit transfer exploit since 2021. As a result of this, it has allowed them to exploit many organisations in short periods of time ahead of a patch being readily available.
CL0P have a track record of compromising file transfer tools, as they have been indicated to be behind the GoAnywhere and Accelion breachs in 2023 and 2021 respectively. While these tools had several clients using them, the MOVEit profile is significantly larger and therefore the number of clients impacted is greater.