MOVEit, LastPass and Other Breaches Prove Need for Proactive Security

ConnectSecure | Jul 11, 2023

The cyber attacks against MOVEit and LastPass have generated big headlines and intense discussions on LinkedIn and other forums. Amid all the technicalities and talks about their destructiveness, it’s easy to forget that many of these types of attacks teach a returning and simple lesson: Don’t forget to update your applications.

Although it may sound like we’re stating the obvious, recent events show it needs to be a message on repeat. The sobering reality is that data breaches are often the result of unpatched vulnerabilities. Rather than waiting for an incident to happen, managed service providers (MSPs) should have the tools they need to stay ahead of threat actors. Regular application patching allows MSPs to proactively address known vulnerabilities, thereby significantly reducing the risk of a data breach.

The Latest Data Breaches Show Why You Need a Proactive Security Strategy

To illustrate this point, let’s take a quick look at what happened when threat actors managed to breach MOVEit and LastPass.

LastPass Breach: Targeting an Employee’s Unpatched Vulnerability

In December, 2022, LastPass, a popular password manager, issued a statement that an August breach, disclosed in November, was worse than the company had initially thought. The unknown threat actor had, according to the company’s investigation, used source code and technical information stolen from their development environment to target another employee. Wired quoted LastPass’s account of the sequence of events:

“This was accomplished by targeting [a] DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

So, what made the employee such an apt target? As it turned out, the DevOps engineer had an unpatched version of Plex Media Server on his home computer. The patch, however, had been available to all since May of 2020.

A Plex spokesperson noted in PC Magazine, “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”

MOVEit Breach: Exploiting a Zero-Day Vulnerability

When it comes to the MOVEit breach, the threat is still ongoing. Labeled a “slow-moving disaster” by Cybersecurity Dive, it has hit more than 300 organizations, including the world’s largest financial institutions, law firms, insurance providers, healthcare firms, education service providers, and government agencies. To date, the personally identifiable information (PII) of more than 18 million individuals has been exposed.

Unusual Activity Raises Concern

The damage began to unfold on May 28 when a customer noticed unusual activity in their MOVEit environment, a widely used file-transfer service that has been approved and accredited by multiple government agencies and highly regulated industries. Three days later, Progress disclosed a zero-day vulnerability in MOVEit and issued a patch for on-premises versions and patched cloud servers. As the first wave of victims like British Airways and Zellis, a payroll provider, began to come forward, Progress discovered more — yet to be exploited — vulnerabilities and released a patch that the company urged all customers to use.

Unpatched Software Opens Door to Exploitation

Every day brought more dire news. On June 6, Clop, a ransomware group also known as TA505. took responsibility for the attack and set a deadline for victims. The following day, federal authorities cautioned, “Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

Cybersecurity Dive summed up the situation in a detailed account of the fallout that also ensnared multiple downstream victims, “The attacks against MOVEit and its customers underscores the fact exploited vulnerabilities remain the No. 1 root cause of ransomware attacks.”

The WannaCry Ransomware Attack: Another Argument for Proactive Cybersecurity

These attacks are far from the only reminder that patching is a critical component of any sound cybersecurity strategy. An internal investigation revealed that the National Health Service (NHS) could have prevented the crippling effect of the 2017 WannaCry ransomware attack with “basic IT security.”

WannaCry exploited a vulnerability in the Windows operating system to spread to computers around the world. Once infected, the ransomware would encrypt the victim's files and demand a ransom payment in Bitcoin in order to decrypt them.

The WannaCry attack was particularly destructive because it was able to spread so quickly. The ransomware used a technique called EternalBlue, which was a vulnerability in the Server Message Block (SMB) protocol. This vulnerability allowed the ransomware to spread from computer to computer without any user interaction.

The Steps to Implementing a Patch Management Strategy

If these incidents are largely preventable with timely application updates, the question is what such updates look like?

Patch management isn't just about updating applications. It requires a systematic approach that involves identifying, acquiring, installing, and verifying patches for your systems and software. To ensure a secure environment, MSPs should make the following steps a part of their patch management strategy:

Inventory Management: Have a clear understanding of the software applications in use, their versions, and patch levels.
Vulnerability Assessment: Regularly assess your systems for vulnerabilities, keeping an eye on security bulletins related to your software.
Risk Assessment: Prioritize vulnerabilities based on their potential impact on your systems and business operations.
Patch Testing: Test patches in a controlled environment before deploying them across your systems.
Patch Deployment: Implement patches systematically and prioritize critical updates to minimize potential attack vectors.
Patch Verification: Verify that patches have been correctly installed and are working as intended.
Documentation: Keep a record of your patch management activities for future reference and compliance purposes.

Final Word: Fortify Your Digital Fort

In sum, staying on top of application updates is more than a best practice—it's a fundamental part of a robust cybersecurity strategy. By learning from past breaches and understanding the importance of regular application updating, you can take the right steps to minimize risk. Amid escalating cyber threats, only a proactive approach to cybersecurity will fortify your own and your customers’ digital fort.

The ConnectSecure cybersecurity platform features everything you need to gain a 360-degree view of network vulnerabilities and also provides the tools to remediate them. Sign up for a free 14-day trial today.