Why were thousands of organizations seemingly defenceless against the zero-day vulnerability in Progress Software’s MOVEit file transfer service, a hole that so far has seen the personal data of tens of millions of people copied by the Clop/Cl0p ransomware gang?
That question may be at least partly answered by an investigation announced today by Nova Scotia Information and Privacy Commissioner Tricia Ralph into the theft of data from the provincial healthcare sector.
The purpose of the investigation is to review the adequacy of the security practices and incident response of the province’s health department, and of IWK Health Centre, a major pediatric hospital and trauma centre in Halifax.
Nova Scotia and the hospital have to comply with regulations under the Privacy Review Officer Act, the Freedom of Information and Protection of Privacy Act and the Personal Health Information Act.
The province uses MOVEit for transferring payroll information. Data of at least 100,000 public servants and hospital staff was stolen, including Social Insurance numbers, addresses and banking information.
Ralph promised a “comprehensive investigation,” the results of which will be publicly released.
This may be the first publicly announced investigation by a privacy commissioner of a MOVEit hack in Canada or the U.S. In October, Progress Software said it is co-operating with several inquiries from U.S. and foreign data privacy regulators, as well as inquiries from several U.S. state attorneys general. The company said in a regulatory filing that the U.S. Securities and Exchange Commission has also started a fact-finding inquiry.
Related content: Sony Playstation division hit by MOVEit hack
Security experts say a zero-day vulnerability in an application is hard to defend against because there are no known patches. However, that doesn’t necessarily mean protections such as firewalls, data encryption, network intrusion and detection, employee awareness training, and other tools can’t blunt an attack — for both the software companies that created the vulnerable applications as well as their customers.
According to an article in last month’s Cyber Defence Magazine by Jack Viljoen, head of Prodinity Cyber Solutions, the attacks were allegedly “driven by poor cyber security practices related to vendor access vetting and monitoring of company systems.” Weak password practices served as another entry point for attackers, he added.
Related content: Data on 3.4 million mothers, children stolen from Ontario registry
The MOVEit Transfer vulnerability (CVE-2023-35708) is a SQL injection exploitation. According to security firm Malwarebytes, it allows an attacker to drop a webshell in the wwwroot folder of the MOVEit install directory. This allows the attacker to obtain a list of all folders, files, and users within MOVEit, download any file within MOVEit, and insert an administrative backdoor. This last is crucial: It gives attackers an active session to allow credential bypass.
File transfer servers can be a golden repository for data if it’s just sitting there before or after being copied. The Clop/Cl0p gang is known for having found vulnerabilities in other file transfer applications such as GoAnywhere MFT and Accellion File Transfer Appliance (FTA). While many of the MOVEit hacks occurred in the last days of May, investigators at Kroll LLC believe the gang was likely experimenting with ways to exploit this particular vulnerability as far back as 2021.
Researchers at Emsisoft have so far identified 2,662 organizations around the world whose data was stolen through MOVEit Transfer, involving the personal information of over 83 million people.