Webinar Replay: Lessons Learned from 50+ MOVEit IR Investigations
A deep dive into the MOVEit exploitation and incident response, from reconnaissance to exfiltration and its impact on third parties, with lessons learned from the frontline.In Q2 2023, Kroll reported a notable shift towards increased supply chain risk, largely driven by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability. The MOVEit exploitation rendered even organizations with mature cybersecurity controls helpless and vulnerable to financial and reputational damage. Only a handful were able to detect the exfiltration, and even fewer could handle the consequences once a trusted partner fell victim.
In this virtual briefing, Kroll experts George Glass and Scott Downie examine the exploitation in detail and highlight lessons learned from over 50 incident response (IR) investigations handled by Kroll. They also brief participants on the complexities of third-party investigations, litigation considerations, breach notification challenges and the steps chief information security officers (CISOs) should take to raise preparedness.
The briefing covers:
- What led to the MOVEit exploitation?
- Why did the attack have a bigger impact?
- What were the key lessons learned?
- How can organizations improve their cybersecurity posture?
Key Sections From the Webinar
Backstory Behind the MOVEit Exploit
“In July of 2021, we saw from the data we had collected, that CLOP was developing or starting to develop and exploit for MOVEit, or at least showing careful attention to MOVEit applications—two years ahead of their mass exploit campaign.”– George Glass
After several members of the CLOP gang were arrested in 2019, the group has tended to favor data exfiltration and extortion. Over the years, the group has famously exploited vulnerabilities in Accellion, SolarWinds Serv-U and GoAnywhere all of which have affected hundreds if not thousands of organizations. However, all of this was only a precursor to their exploitation of the MOVEit transfer vulnerability. Let us see how.
Lessons Learned
Evolving Threat Landscape
“One of the things that we have noticed is that data extortion has become a lucrative business. Threat actors no longer must encrypt software and utilize double extortion tactics. They simply leverage data exfiltration and then ransoming that data back for payment.” – Scott Downie
Leveraging the Kroll Intrusion Lifecycle, Scott highlights how threat actors are changing their tactics based on the current threat landscape and simplifying their mode of attack to get paid with less effort. Do not miss this lesson.
Automated Exfil
“In 2022 and 2023, we have seen threat actors moving a lot quicker to get to their end goal. From an average dwell time of two to three days, we see threat actors with a dwell time of 15 minutes from initial exploit to data exfiltration, which is very consistent with an automated scripted attack.” – Scott Downie
One of the reasons for the wide impact of the MOVEit exfiltration was the automation fueling it. The automated script not only allowed threat actors to steal data from a broad array of victims but also allowed them to do so quickly, often in less than one hour, using two key exfiltration methods, as Scott explains.
Minimizing Impact
Getting Extended Visibility Across Your Digital Estate
What does your organization have in place to minimize the damage when an incident happens? Having handled thousands of incident response cases, Scott recommends empowering security operations teams with endpoint, network and behavioral monitoring capabilities to identify various attack tactics and augment response capabilities.
Questions Asked During the Briefing
Scott and George fielded questions from the audience about lessons learned from the MOVEit vulnerability and how organizations can improve their security posture. Hear what they were.
Connect With Us
Stay Ahead with Kroll
Cyber and Data Resilience
Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident response, regulatory compliance, financial crime and due diligence engagements to make our clients more cyber resilient.
Cyber Risk Retainer
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
24x7 Incident Response
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Ransomware Preparedness Assessment
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.