Clop Ransomware Attack against MOVEit Reveals Supply Chain Vulnerabilities

The MOVEit attack has impacted more than 100 high-profile organizations, including Siemens, Schneider Electric, Deutsche Bank, and TV channel Discovery. The notorious ransomware group Clop (also stylized as C10P) usually targets high-profile organizations and their software supply chain weaknesses. In its recent campaign, the group leveraged a vulnerability in the MOVEit transfer file sharing tool developed by Progress Software and deployed by large institutions, such as those in the healthcare industry, Information Technology (IT) businesses, finance, and the government sector. Clop was able to exploit a vulnerability that allowed the attackers to access MOVEit’s database without any authentication. Progress Software has since patched the hole, but not before Clop was able to access customer data, compromising sensitive personal information. Progress then released three service packs for product updates and security improvements, attempting to contain the breach.

ABI Research maintains the incident is yet another sign of increasingly damaging supply chain attacks. These software supply chain strikes are expected to grow due to their efficiency and success. Instead of targeting multiple organizations separately, malicious actors solely access a third-party application that is commonly deployed by enterprises. Applications that store or transfer data, and those on end-user devices that allow for updates, are of particular interest for malicious activity. Clop uses the same method of attacking third-party components by attacking vulnerable software supply chains, gaining access to user information, and then demanding ransoms to protect data privacy. Clop usually posts the name of a breached company and the victims’ personal information on its website if a compromised company does not pay up.     

As supply chain attacks increase, more organizations will want to secure their applications by knowing the ingredients of their software supply chains. A host of new tools and services will contribute to the generation of Software Bill of Materials (SBOMs) and other audit and inventory tools that can help identify compromised entry points to software applications. This trend will be strengthened by emerging regulatory requirements, such as Executive Order (EO) 14028 in the United States, and SBOM requirements for government contractors and vendors selling software products to the U.S. defense sector. In Europe, the same trends are seen where software supply chain security is prioritized under Article 37 of the proposed (yet to be passed) European Cyber Resilience Act.

In the short term, the MOVEit vulnerability and similar supply chain attacks contribute to organizations maintaining or increasing cybersecurity spending. These include acquiring prevention, detection, and mitigation capabilities backed by Artificial Intelligence (AI) technology that can better identify anomalies, recognize patterns, and strengthen access control measures through Machine Learning (ML) algorithms. Email analysis tools are another segment of a growing market for security providers, due to ransomware and phishing attacks via email. Companies will need to design custom sandboxes and analysis capabilities to block suspicious email, driving business opportunities for email security software providers. Conversely, such attacks could negatively impact those companies whose supply chains become infected, leading to reputational and legal action against them.
 

Software supply chain management, including SBOM generation and related services, has become an integral component of supply chain security after EO 14028 in the United States mandated that software developers generate SBOMs when selling products to the government. Like the government, the private sector is increasingly realizing the importance of a comprehensive understanding of supply chain software inventories, meaning this is an area of cybersecurity that will present new opportunities to security providers. Supply chain security services will remain a permanent component of any cyber strategy that addresses applications and device software that use open libraries and third-party code, and is, therefore, not just a fleeting fad. The tendency of software developers to use third-party software components will preserve the trend of increasing application dependencies. This, in turn, will contribute to the growth and expansion of software supply chain security markets that could include secure code development, digital signature solutions, DevOps consulting, SBOM generation and analysis, managed security services focused on software supply chains, patch management solutions, and third-party security assessment services. With more government regulation of software supply chains on the horizon, especially related to government procurement processes, compliance and certification services that help software vendors maintain compliance with requirements will also expand.