Why aren’t people patching the MOVEit bug?

Know anything about CL0P,  the ransomware gang connected to an attack on the popular MOVEit Transfer file-transfer platform?

First things first: If you do, it could net you up to $10 million!!!!!! 

(As could information leading to any other “malicious cyber actors targeting U.S. critical infrastructure to a foreign government,” for that matter, U.S. feds said in a Tweet after the gang punched holes in networks worldwide.)

$10 million aside, got any good tips for how to convince people to upgrade so their organizations don’t wind up on CL0P’s dark-web leak site?

Asking for a friend: specifically, Contrast Security CISO David Lindner, who, as of the publishing of his June 9 CISO Insights column, advised/pleaded/exhorted/begged all organizations to patch:

"MOVEIt file transfer suite is actively being exploited for SQL Injection (which can be elevated to remote code execution),” Lindner wrote. “Patch your MOVEIt now!"

As TechCrunch reported, the list of leaked victim names included a number of  U.S.-based financial services organizations and universities. As well, organizations including the BBC, Aer Lingus and British Airways have disclosed that their networks were also compromised, due to the fact that they rely on HR and payroll software supplier Zellis … which, likewise, relied on a vulnerable MOVEit system that was compromised.

Earlier this month, on July 2, Progress Software revealed that it had found yet another — the second — new critical SQL injection vulnerability affecting MOVEit since the initial discovery of a zero-day bug in its Transfer application.

As it does, the Cybersecurity and Infrastructure Security Agency (CISA) put out an advisory about one of the related vulnerabilities, along with mitigation steps, including, of course, a recommendation to regularly patch and update software. … As did Progress Software, the developer behind MOVEit, and, of course, Contrast’s  CISO. 

Lindner didn’t ask people to patch “for the love of all that’s holy,” but let’s just assume that any CISO who finds it incumbent to urge people to patch a known vulnerability that’s being actively exploited is, pretty much, pulling their hair out at this point. Because yes, weeks after the vulnerability was publicized, people still haven’t patched. 

The ransomware attacks are a big deal, Lindner says. He gets that. Hopefully every CISO in every organization gets that, but who’s to say? It’s a big deal, but “So is every other Common Vulnerability and Exposure [CVE] that's being exploited right now,” Lindner admits.

It’s a CISO’s job to tell people that they need to do the things they need to do, right? So … how does a CISO actually get that message across? “I don't know how we emphasize it anymore that organizations just need to upgrade,” he sighs. “Just move it. They need to patch it. They need to do the things that they're supposed to do to reduce the risk to their organizations, but they're not doing it for a number of reasons.”

Why aren’t you doing what you’re supposed to be doing?

Do organizations simply not know that they’re vulnerable? Could be, the CISO grants. “It surprisingly happens: They could get every email or notification in the world,” he suggests. “But if they don't have a security team, or they're not monitoring CISA — and yes, some don't. They don't read our news articles, maybe? I mean, who knows? Maybe they're just focused on their jobs?”

What’s particularly mystifying is that there are, in fact, scads of tools that allow you to scan for ports, specific software/services, and even hardware, all of it flopping around, wide open, directly accessible from the internet. Here are a few Lindner mentioned:

Shodan 

A search engine that lets you keep track of all your devices that are directly accessible from the internet, with a comprehensive view of all exposed services in nearly all device types, including business networks, surveillance cameras, industrial control systems (ICS) and smart homes.

MASSCAN

A TCP port scanner available on GitHub that spews SYN packets asynchronously, scanning the entire internet in less than 5 minutes.

“There are plenty of different tools that will tell you where these things are open on the Internet, and then very quickly, very easily exploit them,” Lindner points out, because that’s exactly what malicious actors do. 

Really, why wouldn’t you scan? As it is, research shows that 30% of all internet traffic is from bad bots, and that percentage keeps growing year over year. 

“So yes, people are probably scanning for these [vulnerabilities],” Lindner surmises. “Are they attacking them? Probably not. But now they know they're there, and then they can weaponize it. And that's what [bad actors such as CL0P are] doing. and it's not going to stop, because organizations won’t patch. And they need to.”

It’s cheaper this way

This is nothing new. As of September 2022, nearly a year after the Log4j vulnerability was discovered, North Korea’s Lazarus hackers were exploiting the Log4j flaw to hack U.S. energy companies. Unfortunately, the sad truth of the matter is that “It’s cheaper to write insecure code and just pay for whatever the consequences are,” Lindner says, “Because it's more expensive to write secure code.” He points to a hypothesis from the information security sage Daniel Miessler that, basically, this will never change. 

Will the government save us from this, with its new cybersecurity regulations, such as Software Bills of Materials (SBOMs), or the move to require organizations to provide attestations that they’re following secure coding practices if they want to sell to the government?

Can the feds regulate away this indifference to patching and serious vulnerabilities? 

Lindner has his fingers crossed. “I'm 100% on board with [such regulations],” he says. He’s not sure that government regulation will flip the switch on “How do we make it cheaper to write secure code?” but hey, there’s nothing quite like staring at regulatory and compliance requirements to get your creative juices flowing. … and, need we mention, it wouldn’t hurt to look at instrumenting security to protect against things like the SQL injection vulnerability involved in the MOVEit incident? 

Because yes, Contrast technology might have helped with MOVEit. Click here if you‘re up for a demo. And please, if you haven’t already, do patch the MOVEit vulnerabilities. Progress has, after all, issued service packs in order to make patching the bugs “predictable, simple and transparent.” 

Click here for more CISO Insights.

Read more:

• Dave Lindner’s June 9 plea to patch
• It’s SBOM time!
• What's an attestation, and what difference will it make?