Source: ITCPEacademy.org

Numerous global businesses may have experienced the repercussions of the MoveIt breach, a cyber attack on a third-party data-transfer provider. This breach has potentially exposed the private and sensitive information of millions of individuals, particularly in the United States. It is important for both businesses and individuals to understand the details of the hack and take appropriate measures in response.

An Overview of the MoveIt Hack
MoveIt is a tool developed by Progress Software, facilitating the transfer of large data volumes over the Internet for businesses. Typically, data is sent from one user's account to a web server and then downloaded to another user's account to complete the transfer.

A hacker group known as Cl0p, based in Russia, claims to have exploited a vulnerability in MoveIt to gain unauthorized access to the servers storing the data. They have exfiltrated millions of records from various organizations, including banks, broadcasters, the U.S. Department of Energy, and the Oregon DMV. The Oregon DMV alone reported approximately 3.5 million exposed records.

Cl0p has been compiling a growing list of potential targets on the Dark Web and is threatening to publish the stolen data or sell it unless the affected organizations pay a ransom.

Understanding the Nature of the Attack
It is crucial to differentiate what this attack is and what it is not. Although some media outlets have referred to it as a ransomware attack, it does not follow the traditional ransomware model where hackers lock an organization's systems and demand payment for their release. Instead, Cl0p is holding the stolen data hostage and threatening to publish or sell it if the affected organizations refuse to pay. The MoveIt attack solely targeted MoveIt servers, and the hackers did not gain direct access to other online systems belonging to their victims. However, the stolen data could potentially contain information that criminals might exploit in the future, such as carrying out phishing or pretexting attacks, accessing login credentials, or engaging in identity theft.

The specific nature of the stolen data will vary across organizations. Some may have compromised employee information, while others may have had individual customer records, potentially including Social Security numbers, stolen. The extent of the loss depends on the data sent via MoveIt and what Cl0p was able to access. During a press conference on June 15, Director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, stated, "As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred."

There is a possibility that Cl0p is exaggerating the extent of the data they possess. Users who transferred data via MoveIt should still have their original copies intact since Cl0p only managed to steal the copies present on MoveIt servers.

Recommended Actions for Businesses in Response to the MoveIt Attack
If your organization utilizes MoveIt, it is crucial to immediately patch the software. Ensure that you download the software exclusively from the official Progress Software website. Stay vigilant for any updates on vulnerabilities and patches provided by Progress Software. Failure to patch the software leaves it vulnerable to exploitation using the methods employed by Cl0p.

Evaluate the potential damage resulting from the MoveIt breach. Although the precise start date of the hack is unknown, it is believed to have initiated in late winter or early spring of 2023. Review all records of MoveIt transfers conducted since January 1, 2023, along with the associated data that was transferred. Assume that this data has been stolen and could be sold or published on the Dark Web. Refrain from assuming that paying a ransom will ensure the safety of your data, as criminals may still sell it even after receiving payment. It is crucial to assume that any sensitive information transmitted via MoveIt after January 1 has been compromised.

Change all login credentials. Update the logins for all accounts. This is an opportune time to consider implementing two-factor authentication or using a password manager if these measures are not already in place.

Notify potentially affected clients or customers. Failing to disclose knowledge of a data breach can result in legal action, government penalties, and potential sanctions against the organization or its senior leaders. In cases where there is any uncertainty regarding data theft, it is better to assume the data were stolen and inform all potentially impacted individuals. It is preferable to err on the side of caution in such situations rather than risk neglecting to notify the victims.

Discuss the risks of phishing and pretexting with employees and reinforce security protocols. The stolen data from this breach may include both business and personal emails of employees, making them susceptible to pretexting attacks for up to 12 months following the breach. Conduct cybersecurity training for employees to help them identify and respond appropriately to risks. During times of heightened threat, organizations must communicate additional warnings to promote extra vigilance. Explain to employees the details of the breach, how the stolen data can be used for fraudulent activities or theft, and how they should respond if they receive any suspicious or unexpected requests from colleagues or organizational leaders.

Enhance monitoring efforts. IT and Accounting personnel should remain vigilant for any new or unusual activities. Pay close attention to an increase in login attempts, new remote login attempts, or small transactions appearing in bank accounts or on debit/credit cards. These could be indicators of criminals attempting to validate stolen credentials in preparation for a more significant attack.

Recommended Actions for Individuals in Response to the MoveIt Hack
Assume that your personal data has been compromised. The MoveIt breach is just one of many ongoing breaches affecting data security. It is advisable for most individuals to assume that their personal information, including passwords, phone numbers, email addresses, and physical addresses, has been stolen and is accessible on the Dark Web. Taking an active and proactive approach to online security is crucial if you believe your personal information has been compromised.

Consider freezing your credit. Unless you plan to apply for credit cards, mortgages, or loans, freezing your credit is one of the most effective measures to prevent identity theft. To implement this, you will need to contact each of the three credit-reporting agencies. If you decide to apply for a loan in the future, you can unfreeze your credit accordingly.

Utilize two-factor authentication for all sensitive logins. Whenever possible, enable two-factor authentication and ensure that authentication codes are sent to your smartphone instead of an email address that could be compromised. If the websites you frequently use do not offer two-factor authentication, consider using a password manager to enhance security. The advantage of two-factor authentication is that even if criminals acquire your password, they will be unable to access your accounts without the accompanying authentication code.

Monitor your financial statements closely. Be vigilant in reviewing your financial statements, specifically looking for minimal charges ranging from a penny to slightly over a dollar from unfamiliar sources. Also, be cautious of small charges that are quickly refunded to your account. Criminals employ these small charges to verify stolen credit or debit cards before launching significant attacks. While some legitimate businesses may employ a similar approach when requiring access to your bank account, it is always wise to contact your bank to confirm any suspicious transactions.

Exercise caution with emails related to the MoveIt hack. Following any high-profile data breach, a subsequent wave of phishing attacks commonly emerges, capitalizing on the incident. You may receive official-looking emails from banks or service providers notifying you of the breach and requesting that you log in to verify your account or update your information. Never click on links in emails or text messages, even if they appear legitimate. Instead, manually open a web browser and visit the verified website of the respective business to log in and verify any potential issues.

Expect an increase in phishing and spam attacks. Major data breaches typically lead to a surge in phishing and spam attacks as recently stolen email addresses and phone numbers are added to criminals' databases. Exercise caution, particularly with attacks that mimic popular shopping sites or delivery services such as Amazon, eBay, or UPS. Apply the same rule as mentioned earlier for emails and texts regarding the MoveIt attack: avoid clicking on links and directly log in to relevant websites to verify any potential issues. Block any spam messages received and block numbers associated with spam or phishing texts.

Maintain heightened vigilance even after a significant data breach. It can be challenging to sustain a high level of awareness and caution in the aftermath of a breach. Many individuals and organizations are alert for a brief period, only to return to a sense of normalcy if no immediate attacks occur. Although there are no fixed timeframes between data theft and subsequent criminal activities, it is important to note that stolen data can circulate online for up to two years. Data of high value, such as login credentials, may be utilized by criminals within hours to compromise additional systems.

In conclusion, it is crucial for both businesses and individuals to take immediate action in response to the MoveIt hack. By implementing the recommended measures, organizations can mitigate the potential risks and individuals can better protect their personal information and online security.