The cyber attacks against MOVEit and LastPass have generated big headlines and intense discussions on LinkedIn and other forums. Amid all the technicalities and talks about their destructiveness, it’s easy to forget that many of these types of attacks teach a returning and simple lesson: Don’t forget to update your applications.
Although it may sound like we’re stating the obvious, recent events show it needs to be a message on repeat. The sobering reality is that data breaches are often the result of unpatched vulnerabilities. Rather than waiting for an incident to happen, managed service providers (MSPs) should have the tools they need to stay ahead of threat actors. Regular application patching allows MSPs to proactively address known vulnerabilities, thereby significantly reducing the risk of a data breach.
To illustrate this point, let’s take a quick look at what happened when threat actors managed to breach MOVEit and LastPass.
In December, 2022, LastPass, a popular password manager, issued a statement that an August breach, disclosed in November, was worse than the company had initially thought. The unknown threat actor had, according to the company’s investigation, used source code and technical information stolen from their development environment to target another employee. Wired quoted LastPass’s account of the sequence of events:
“This was accomplished by targeting [a] DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”
So, what made the employee such an apt target? As it turned out, the DevOps engineer had an unpatched version of Plex Media Server on his home computer. The patch, however, had been available to all since May of 2020.
A Plex spokesperson noted in PC Magazine, “Unfortunately, the LastPass employee never upgraded their software to activate the patch. For reference, the version that addressed this exploit was roughly 75 versions ago.”
When it comes to the MOVEit breach, the threat is still ongoing. Labeled a “slow-moving disaster” by Cybersecurity Dive, it has hit more than 300 organizations, including the world’s largest financial institutions, law firms, insurance providers, healthcare firms, education service providers, and government agencies. To date, the personally identifiable information (PII) of more than 18 million individuals has been exposed.
The damage began to unfold on May 28 when a customer noticed unusual activity in their MOVEit environment, a widely used file-transfer service that has been approved and accredited by multiple government agencies and highly regulated industries. Three days later, Progress disclosed a zero-day vulnerability in MOVEit and issued a patch for on-premises versions and patched cloud servers. As the first wave of victims like British Airways and Zellis, a payroll provider, began to come forward, Progress discovered more — yet to be exploited — vulnerabilities and released a patch that the company urged all customers to use.
Every day brought more dire news. On June 6, Clop, a ransomware group also known as TA505. took responsibility for the attack and set a deadline for victims. The following day, federal authorities cautioned, “Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”
Cybersecurity Dive summed up the situation in a detailed account of the fallout that also ensnared multiple downstream victims, “The attacks against MOVEit and its customers underscores the fact exploited vulnerabilities remain the No. 1 root cause of ransomware attacks.”
These attacks are far from the only reminder that patching is a critical component of any sound cybersecurity strategy. An internal investigation revealed that the National Health Service (NHS) could have prevented the crippling effect of the 2017 WannaCry ransomware attack with “basic IT security.”
WannaCry exploited a vulnerability in the Windows operating system to spread to computers around the world. Once infected, the ransomware would encrypt the victim's files and demand a ransom payment in Bitcoin in order to decrypt them.
The WannaCry attack was particularly destructive because it was able to spread so quickly. The ransomware used a technique called EternalBlue, which was a vulnerability in the Server Message Block (SMB) protocol. This vulnerability allowed the ransomware to spread from computer to computer without any user interaction.
If these incidents are largely preventable with timely application updates, the question is what such updates look like?
Patch management isn't just about updating applications. It requires a systematic approach that involves identifying, acquiring, installing, and verifying patches for your systems and software. To ensure a secure environment, MSPs should make the following steps a part of their patch management strategy:
In sum, staying on top of application updates is more than a best practice—it's a fundamental part of a robust cybersecurity strategy. By learning from past breaches and understanding the importance of regular application updating, you can take the right steps to minimize risk. Amid escalating cyber threats, only a proactive approach to cybersecurity will fortify your own and your customers’ digital fort.
The ConnectSecure cybersecurity platform features everything you need to gain a 360-degree view of network vulnerabilities and also provides the tools to remediate them. Sign up for a free 14-day trial today.
Read More
How the Cyber Defense Matrix Can Help MSPs Select a Cybersecurity Solution
Understanding the Big Picture of Cybersecurity Starts with NIST
Biden’s Cybersecurity Strategy: Will MSPs Have to Take Responsibility