MOVEit Exploit, Ransomware and Data Exfiltration Hits Gen Digital (Avast, Avira, AVG, Norton, LifeLock)

The Cl0p ransomware gang continues to exploit a known vulnerability (CVE-2023-34362) in the MOVEit managed file transfer software to compromise high value targets in rapid succession, now claiming an attack on security provider Gen Digital.

‍

More than 100 organizations have victims have fell prey to the attacks, including the U.S. Department of Energy, Ernst & Young, Oregon’s Department of Transportation, the government of Nova Scotia, British Airways, the BBC, Aer Lingus, the Illinois Department of Innovation & Technology, and the Minnesota Department of Education (MDE).  

‍

Gen Digital is the parent company of several well-known security brands like Avast, Avira, AVG, Norton, and LifeLock.

‍

“We use MOVEit for file transfers and have remediated all of the known vulnerabilities in the system. When we learned of this matter, we acted immediately to protect our environment and investigate the potential impact. We have confirmed that there was no impact to our core IT systems and our services and that no customer or partner data has been exposed,” Security Week reports a Gen Digital spokesperson as stating.

‍

“Unfortunately, some personal information of Gen employees and contingent workers was impacted which included information like name, company email address, employee ID number, and in some limited cases home address and date of birth. We immediately investigated the scope of the issue and have notified the relevant data protection regulators and our employees whose data may have been impacted.”

‍

Takeaway: So, if government agencies in charge of nuclear facilities like the DoE and well-monied law firms like EY who sit on the Ransomware Task Force shaping our nation's response to this epidemic of extortion attacks can’t keep themselves from being victims, who can?

‍

A hospital? A school district? A local PUD co-op? Forget about it.

‍

Unfortunately, the answer is no one can. No one is immune from the possibility that one vulnerability in one piece of software can expose the organization to a disruptive and potentially devastating ransomware attack.  

‍

And even if the organization is prepared for the worst-case scenario and is able to weather a ransomware attack - as you might expect a critical government agency or provider of security software and services to be – they may still have to contend with being extorted due to sensitive data being infiltrated.

‍

It’s not all doom and gloom, though. Despite the fact that ransomware attacks are still making headlines daily, we have made a lot of progress in defending against ransomware attacks. The problem is that the attackers have a head start and are innovating as fast or faster than we can come up with solutions to defeat them.

‍

It’s time we face some hard truths about the ransomware problem, namely that it is going to get worse before it can get better:

‍

• We can’t “stop ransomware attacks” – despite what your friendly vendor may say. Attackers are going to attack as long as there is a financial incentive to do so.
• We can’t prevent every vulnerability, or exploitation of a vulnerability during an attack. Bugs are a part of the software lifecycle, and while we can certainly do a lot to reduce the number of vulnerabilities that make it to market, we can’t expect to prevent all.  
• We can’t expect frameworks and compliance checklists to keep our organizations secure. While they are a good starting point, we can see that even organizations with mature security operations can fall victim to a ransomware attack.

‍

So, what can we do to reduce the risk that a ransomware attack will inflict irreparable damage to an organization? We can acknowledge the almost inevitable fact that we will be attacked and then focus on building resilience to reduce the potential impact of an attack.

‍

A strong prevention and resilience strategy to defend against ransomware attacks includes:

‍

• Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/EDR/XDR) to bridge the gaps in ransomware-specific coverage
• Patch Management: Keep all software and operating systems up to date and patched
• Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack, and don’t store sensitive data unless it’s necessary
• Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
• Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
• Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems
• Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times

‍

The detection/prevention side of the ransomware attack equation is important, but organizations also have to be prepared for failure by assuring they can quickly and decisively respond to a successful ransomware attack so any potential disruption to operations are kept to a minimum.

‍

We will never be able to stop ransomware attacks, but we can stop them from taking an entire organization’s operations down by arresting the attack at ingress or lateral movement, by preventing data exfiltration, by blocking execution of the ransomware payload, and by rapidly recovering systems and minimizing downtime.

‍

‍

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.