nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

Cloud Security

MOVEit Data Breach: The Expanding Aftermath

In recent months, the financial services industry has been rocked by a series of high-profile data breaches, exposing millions of customers’ personal information, and leading to legal actions against major institutions. This latest wave of cyberattacks highlights the evolving threat landscape and need for organizations to safeguard their data and solidify their assets. This Security Advisory highlights the ongoing fallout caused by the MOVEit breach, initially reported by nGuard in July.

Impact of the Breach
In May, the MOVEit attack campaign led by Cl0p began disclosing sensitive data from more than 600 worldwide organizations including financial firms, universities, the U.S. federal government, and public retirement systems. To date, the breaches have affected approximately 50 million customers who had their Social Security numbers, financial account information, and other sensitive data stolen by hackers. Since then, MOVEit has released several CVEs with multiple remediation updates to assist their clients in fortifying their file transfer environment. The long-term effects of this incident are still unknown but with the continuous rise of exposed customers and lawsuits, the total cost is currently estimated at nearly $10 billion USD.

Response from Affected Institutions
At the time of the hacking campaign, nearly 31% of the hosts running at-risk MOVEit servers were tied to financial organizations. Several of these institutions, including Charles Schwab, TD Ameritrade, Genworth Financial, Prudential, and TIAA, have faced lawsuits in the wake of these data breaches. The lawsuits allege negligence, unjust enrichment, and breach of implied contract on the part of these institutions.

Most of the financial institutions have responded by emphasizing their commitment to protecting their clients and conducting thorough investigations into the incidents. In response to a class action lawsuit, Prudential has offered free credit monitoring in attempts to help customers feel protected against future threats.

TIAA, which partnered with vendor Pension Benefit Information (PBI) Research Services for data transfer, is facing allegations of failing to secure personally identifiable information (PII) of teachers, staff, and students. The lawsuit aims to highlight vulnerabilities in the MOVEit software and criticized the delayed disclosure of the breach. PBI, although offering identity theft protection, also faced severe criticism for its handling of the situation.

Protecting Infrastructure and Customers
Widespread attacks like the MOVEit breach cannot be overstated. They serve as a wake-up call for all industries and individuals to take a multifaceted approach to enhance their cybersecurity footprint. nGuard has over 20 years of experience helping high-target organizations within the Finance, Healthcare, and Transportation industries and recommends the following proactive security practices to provide peace of mind:  

  1. Comprehensive Security Audits: Conduct regular security audits to identify vulnerabilities in software and data transfer systems. These audits should include assessments of cloud infrastructure and third-party vendors’ security practices.
  2. Penetration Testing: Assess the effectiveness of security controls by identifying vulnerabilities and detailed defense strategies with current patches and remediations.
  3. Data Encryption: Ensure that sensitive data is encrypted both in transit and at rest. Strong encryption protocols should be in place to protect customer information from unauthorized access.
  4. Incident Response: Develop and test robust incident response plans to ensure swift and effective actions in the event of a breach. This includes timely and transparent communication with affected parties and adherence to specific requirements and security standards. Additionally, having an Incident Response vendor on retainer ensures faster response times, tailored to the distinct operations and needs of your organization.
  5. Employee Training: Continuously educate employees about cybersecurity risks and best practices through Security Awareness Training. Equip your team with clear policies and skills to recognize, report, and respond to red flags through Tabletop Exercises or social engineering engagements.
  6. Log Collection and Correlation: Maintain detailed logs and conduct analysis to proactively detect suspicious activity in your environment. This invaluable tool enhances your security stance by analyzing and correlating event data and sending alerts of suspicious activity.
  7. Vulnerability Management: Secure your environment by proactively managing risks and promoting continuous improvement in processes and practices with nGuard’s Vulnerability Management. Whether your focus is on remediation validation, PCI compliance, or possible exploits, rest assured that nGuard’s Vulnerability Management services are ahead of the curve.
  8. Framework Alignment: Establish a systematic procedure for assessing service providers responsible for safeguarding sensitive data or managing your organization’s vital IT platforms and processes. This exercise aims to verify that these providers are effectively securing both the platforms and the data they handle. Strategic Security Assessments guide teams in designing the definitive policies and procedures around clear frameworks for cybersecurity compliance and best practice.

 
The MOVEit compromise highlights the critical need for assertive cybersecurity measures. To ensure strong posture it is essential to take proactive action to secure systems, conduct comprehensive audits, and prioritize the protection of customer data. By implementing robust cybersecurity practices, institutions can not only protect their clients but also safeguard their reputation and financial stability.

TWiC: China Cyberattacks, ManageEngine Exploits, FBI Urges Barracuda Appliance Removal, Cyber Insurance

In this edition of This Week in Cybersecurity, we bring you a comprehensive overview of the latest developments and pressing concerns within cybersecurity. As threats continue to evolve, it is crucial to stay informed and prepared. Join us as we explore four pivotal topics that demand attention and action.

Hackers Exploit Barracuda Email Security Appliances: FBI Urges Immediate Removal

The FBI has issued a compelling alert urging the swift removal of compromised email security appliances manufactured by Barracuda Networks. This comes after Barracuda issued the same advice back in May, which was detailed in another nGuard Security Advisory. Despite patches designed to fix the exploited zero-day vulnerability (CVE-2023-2868), the FBI asserts that these patches have proven ineffective against suspected Chinese hackers. Organizations are strongly advised to remove all Barracuda Email Security Gateway (ESG) appliances promptly. This warning underscores the importance of vigilance and the evolving nature of cyber threats. To protect your organization from these attacks and stay informed of these new vulnerabilities as they are discovered, nGuard offers Vulnerability Scanning and Penetration Testing, along with Security Device Configuration Audit services that can help identify vulnerabilities, assess risks, and fortify your infrastructure against potential attacks.

Growing Concerns of Destructive Cyberattacks by China

Top U.S. cyber official, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Agency, has sounded an alarm about the potential for China to launch destructive cyberattacks on critical U.S. infrastructure in the event of escalated tensions. China’s hackers are reportedly positioning themselves for such actions, which represent a significant departure from their historical cyber espionage activities. nGuard has a wide range of experience helping organizations secure their critical infrastructure from Energy and Utilities, to Manufacturing, to Healthcare, to Government.

Cyber Insurance and the Nexus of Coverage and Protection

As cybersecurity evolves, the relationship between cybersecurity and insurance industries becomes increasingly intricate. Experts in the field gathered at the Def Con hacker conference to discuss the need for cyber insurance, its assessment, and its alignment with cybersecurity measures. Back in February, nGuard wrote about 5 new requirements that insurance companies need to issue policies. Security Awareness Training and Testing, Vulnerability Management, and 24/7/365 Monitoring were among the requirements listed. While cyber insurance offers financial protection, factors like calculating premiums and assessing risks are challenges that require attention. The role of cyber insurance as a motivator to enhance cybersecurity programs is emphasized, with a call to move quickly in preparing for potential cyberattacks.

Lazarus Hackers Exploit ManageEngine Vulnerability: New Threats Emerge

The North Korean state-backed Lazarus hacker group has capitalized on a critical ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to compromise an internet backbone infrastructure provider and healthcare organizations. In early 2023, Lazarus exploited the flaw in multiple Zoho ManageEngine products to infiltrate a U.K. internet backbone provider, deploying the “QuiteRAT” malware and unveiling the newly discovered “CollectionRAT” remote access trojan (RAT). QuiteRAT, a potent malware discovered in February 2023, showcases enhanced capabilities compared to its predecessor, MagicRAT. CollectionRAT, linked to the “EarlyRAT” family and the Andariel subgroup, boasts sophisticated features, including on-the-fly code decryption using the Microsoft Foundation Class framework. Lazarus’ evolving tactics, employing open-source tools and frameworks, pose challenges for attribution and defense strategies. To safeguard against emerging threats, nGuard offers comprehensive Penetration Testing and Vulnerability Management services to assess vulnerabilities, enhance security, and mitigate risks.

The evolving nature of cyber threats demands taking proactive measures and forming strategic partnerships. As highlighted in the topics covered, cybersecurity is ever-changing where staying informed, prepared, and collaborating with experts is critical. At nGuard, we offer a suite of solutions designed to assist organizations in navigating this complex landscape. From incident response and vulnerability management to proactive security assessments, we are ready to enhance your security posture. The key to cybersecurity success lies in constant adaptation and continuous improvement.

Cybersecurity in Healthcare: A Growing Concern

The healthcare industry, with its vast repositories of sensitive patient data, has always been an attractive target for cybercriminals. Recent incidents have underscored the urgent need for robust cybersecurity measures in this sector.

Rhysida Ransomware’s Impact on Healthcare
The Rhysida ransomware operation has been particularly aggressive in its targeting of healthcare organizations. The U.S. Department of Health and Human Services (HHS) and various cybersecurity firms have released detailed reports on Rhysida’s modus operandi. This group’s audacity is evident in its willingness to compromise critical healthcare infrastructure, jeopardizing patient data and potentially delaying essential medical services. Such attacks not only disrupt operations but can also erode trust between patients and healthcare providers.

Missouri’s Medicaid Data Breach
Missouri’s recent data breach serves as a stark reminder of the vulnerabilities inherent in the healthcare sector. The breach, a result of an attack on IBM’s MOVEit system by the notorious Clop ransomware gang, exposed protected Medicaid healthcare information. This breach affected a vast number of individuals, with data ranging from personal identification details to medical histories. Such incidents underscore the importance of securing third-party systems and ensuring that vendors adhere to stringent cybersecurity standards.

Nationwide Cyberattack
A recent cyberattack had a cascading effect on hospitals and clinics across several states. The attack, targeting facilities run by Prospect Medical Holdings, disrupted computer systems, leading to the temporary shutdown of emergency rooms and the diversion of ambulances. Such widespread attacks can have dire consequences, especially in life-threatening situations where every second counts. The incident also highlights the interconnected nature of healthcare systems and the need for a unified response to cyber threats.

nGuard: Your Partner in Cybersecurity
In the face of these escalating threats, organizations must be proactive in their approach to cybersecurity. nGuard is here to assist:

  • HIPAA Strategic Security Assessments: Our in-depth assessments pinpoint gaps in HIPAA compliance, ensuring that your organization remains aligned with regulations.
  • Penetration Testing: With a suite of testing options, we identify potential vulnerabilities, enabling you to fortify your defenses against cyber threats.
  • Vulnerability Management: Our regular scans ensure that your systems remain impervious to the ever-evolving landscape of cyber threats.
  • Incident Response: Should the worst happen, our rapid response team is on hand to mitigate damage and guide your organization back to normalcy.

In an era where data breaches can have tangible real-world consequences, partnering with nGuard ensures that your organization remains both secure and compliant.

SEC Implements New Rules for Cybersecurity Incident Disclosure: A Call for Strengthened Preventative Measures

The U.S. Securities and Exchange Commission (SEC) has taken a step towards increasing transparency and investor protection by announcing new rules that requires public companies to disclose cybersecurity incidents within 4 days. The regulations aim to address the rising threat landscape, including the increase in cyberattacks and data breaches resulting from the digitalization of operations. This security advisory explores the background of the new rules, what they entail, and how organizations can prepare for compliance while bolstering their cybersecurity defenses through preventative measures.

The new SEC cybersecurity incident disclosure rules come at a critical time when the impact of cyberattacks is becoming increasingly evident. One of the notable cases that underscored the severity of such incidents is the MOVEit breaches. The breaches, perpetrated by Russian cybercriminals, targeted a widely used file transfer program, impacting hundreds of organizations, including major government agencies, universities, and prominent corporations.


Background of the New SEC Cyber Disclosure Rules:

In March 2022, the SEC proposed new rules to standardize and enhance disclosures regarding cybersecurity risk management, strategy, governance, and material cybersecurity incidents for publicly traded companies. Cybersecurity threats have become an escalating risk for businesses, investors, and market participants due to the rapid evolution of technology and the monetization of cyber incidents by criminals. The new rules aim to provide consistent, comparable, and decision-useful disclosures to enable investors to assess the potential impact of cybersecurity risks on companies.

Requirements of the New Rules:

The newly adopted rules introduce a brand-new Form 8-K Item 1.05, obliging companies to disclose any cybersecurity incident deemed “material” for shareholders. The disclosure must include a description of the nature, scope, and timing of the incident. It should also include its material impact, or reasonably likely material impact, on the company’s financial condition and results of operations. To clarify, the clock for the four-day disclosure window only starts ticking after the company determines the materiality of the incident.

Additionally, companies will be required to comply with a new Regulation S-K Item 106, which necessitates the description of their processes for assessing, identifying, and managing material risks from cybersecurity threats. The rule also mandates the disclosure of the board of directors’ oversight of cybersecurity risks and management’s role and expertise in handling such threats.

Timelines and Important Dates:

After adopting the release of the final rules in the Federal Register, they will take effect after 30 days. Starting from December 15, 2023, all registrants must include the specified disclosures in their annual reports for fiscal years ending on or after this date. Regarding the incident disclosure requirements in Form 8-K Item 1.05 and Form 6-K, all registrants, except smaller reporting companies, must comply within 90 days after the Federal Register publication date or by December 18, 2023, whichever is later. However, smaller reporting companies have an additional 180 days, and their compliance must begin 270 days from the effective date of the rules or June 15, 2024. For structured data requirements, all registrants should tag the necessary disclosures under the final rules in Inline XBRL starting one year after they have initially complied with the related disclosure requirement.

Preparation for Compliance and Preventative Measures:

Preparing for compliance with the new SEC rules will be a challenge for organizations, but there are essential steps that can be taken to prepare for the new requirements and reduce the risk of a breach:

  • Establish a Methodology for Determining Materiality: Organizations need to develop a robust methodology for assessing and determining the materiality of cybersecurity incidents. This methodology should consider the potential impact on the company’s operations, financial condition, and investor decisions.
  • Implement a process and template for creating 8-Ks: Include templates for various types of breaches and attacks to ensure your organization meets the deadline to report them.
  • Employ Managed SIEM for Logging and Alerting: A Managed Security Information and Event Management (SIEM) solution can help organizations monitor and analyze security events, enabling faster detection and response to potential threats.
  • Implement Multi-Factor Authentication (MFA) and Strong Password Policies: Enforcing MFA and strong password policies adds an extra layer of security to protect against unauthorized access to sensitive data and systems.
  • Implement Incident Response Plans: Having a well-documented and tested incident response plan is crucial to responding promptly and effectively to cyber incidents. This plan should outline the necessary steps to investigate, contain, and mitigate the effects of a breach.
  • Conduct Annual Internal and External Penetration Testing: Regular penetration testing helps identify vulnerabilities in the company’s systems and applications, allowing for proactive remediation before attackers can exploit them.
  • Conduct Ongoing Vulnerability Scanning: Continuous vulnerability scanning is essential to detect and address potential weaknesses in real-time, reducing the risk of successful attacks.

The SEC’s new cybersecurity incident disclosure rules represent a critical step in promoting transparency and accountability among publicly traded companies. By complying with these rules, organizations can better inform investors about the material impact of cybersecurity risks and incidents, thereby enhancing investor confidence. To prepare for compliance and mitigate cyber risks, companies should focus on establishing methodologies for determining materiality, implementing robust incident response plans, and conducting regular penetration testing and vulnerability scanning. Employing managed SIEM services can further bolster their cyber defenses and ensure timely detection of potential threats. Ultimately, the combination of compliance and preventative measures will help fortify businesses against the ever-evolving cyber threat landscape.

In the Crosshairs: Unraveling Microsoft’s Cybersecurity Saga

In recent weeks, Microsoft has been at the center of numerous cybersecurity incidents, highlighting the ongoing challenges faced by tech giants in maintaining the security of their systems. This article provides a summary of these events, drawing on information from various sources.

Chinese APT Targets Microsoft Outlook
A Chinese Advanced Persistent Threat (APT) group, known as Storm-0558, has been reported to have successfully breached Microsoft Outlook email accounts of more than two dozen organizations worldwide, including U.S. and Western European government agencies. The group exploited a token validation issue to impersonate Azure AD users and gain access to enterprise mail. The intrusion was discovered and reported to Microsoft by U.S. government officials last month, and the company has since mitigated the attack. Such incidents underscore the importance of comprehensive security assessments that proactively address key disciplines, helping organizations identify and mitigate potential vulnerabilities.

Microsoft Teams Exploited to Deliver Malware
In another incident, Microsoft Teams was exploited to deliver malware. The exploit, known as “AutoDeliver,” was used to deliver a remote access trojan (RAT) to victims. The RAT was then used to steal sensitive information from the infected systems. The exploit took advantage of the fact that Microsoft Teams allows for the automatic downloading and execution of arbitrary files shared in a chat. This incident underscores the need for an effective Cyber Security Incident Response strategy to respond to cybersecurity incidents swiftly and efficiently.

Moreover, this case highlights the potential risks associated with social engineering, where users could be tricked into sharing or opening malicious files. It also underscores the value of Red Team Testing, a strategy that uses simulated attacks to identify vulnerabilities. Finally, this incident emphasizes the importance of conducting a thorough Cloud Configuration Security Audit for MS Teams and other Microsoft cloud services. This type of audit can help identify and rectify potential security misconfigurations, further strengthening defenses against similar exploits.

Zero-Day Vulnerabilities Disclosed in July Security Update
Microsoft’s July security update was a significant one, with the company disclosing several zero-day vulnerabilities. These vulnerabilities, if exploited, could allow an attacker to execute arbitrary code, gain elevated privileges, or cause a denial of service. Microsoft has released patches for these vulnerabilities, and users are advised to update their systems as soon as possible. Such vulnerabilities highlight the importance of regular penetration testing to identify potential security gaps and take proactive measures to secure systems.

MS Office Zero-Day Vulnerability
A zero-day vulnerability in Microsoft Office was also disclosed. The vulnerability, tracked as CVE-2023-36884, could allow an attacker to execute arbitrary code on a victim’s system if they open a specially crafted Office document. Microsoft has released a patch for this vulnerability.

Chinese Hackers Breach US Government Email Through Microsoft Cloud
Chinese cyberspies exploited a fundamental gap in Microsoft’s cloud, leading to a targeted hack of unclassified U.S. email accounts. The hackers had access to the email accounts for about a month before the issue was discovered and access cut off. The Microsoft vulnerability was discovered last month by the State Department. This incident highlights the need for robust cloud security measures to secure cloud-based infrastructure to protect against such breaches.

These incidents underscore the importance of maintaining strong cybersecurity practices and keeping software up to date. Microsoft has taken steps to mitigate these issues and continues to work on improving the security of its products. However, these incidents serve as a reminder that even the most robust systems can be vulnerable to attack. As such, organizations and individuals alike must remain vigilant and proactive in their cybersecurity efforts.

Massive Data Breach Exposes Millions As MOVEit Vulnerability Exploited

In recent weeks, a major data breach caused by the exploitation of a vulnerability in the popular file transfer tool MOVEit, by Progress Software, has led to the compromise of sensitive personal information belonging to millions of individuals and a growing number of companies, universities, and government entities and agencies. This alarming breach has affected numerous organizations across various sectors, highlighting the urgent need for enhanced cybersecurity measures. In this Security Advisory nGuard will cover an overview of MOVEit, who is behind the attack, detail the extent of the damage caused by the vulnerability, and offer mitigation strategies to address the issue.
 
MOVEit and the Vulnerability:
MOVEit Transfer, developed by Progress Software, is an enterprise file transfer tool widely used by organizations for secure information exchange. Unfortunately, hackers have recently targeted a vulnerability within MOVEit, resulting in a series of data breaches. The attacks have been attributed to the Cl0p ransomware gang, a group that operates as a ransomware-as-a-service provider. Cl0p’s tactics include the exploitation of software vulnerabilities and employing double-extortion techniques, where stolen data is held hostage unless a ransom is paid.
The vulnerability in MOVEit Transfer allows hackers to gain unauthorized access to sensitive data during file transfers. By leveraging this vulnerability, the Cl0p gang has been able to infiltrate multiple organizations and compromise the security of their data.
There are multiple CVEs associated with the software:

Extent of the Breach and Affected Individuals and Organizations:
The impact from the MOVEit vulnerability has been far-reaching and has impacted a wide range of individuals and organizations. So far, more than 15.5 million individuals have been affected and the list of organizations is growing each day. The following is a list of some of the major organizations affected:

  • U.S. Department of Energy
  • Ernst & Young
  • Siemens Energy
  • Government of Nova Scotia
  • British Airways
  • Oregon Driver’s License Holders: Approximately 3.5 million individuals.
  • Louisiana Residents: Roughly 6 million individuals.
  • California Public Employees’ Retirement System (CalPERS) Members: About 770,000 individuals.
  • Genworth Finance Clients: Between 2.5 and 2.7 million individuals.
  • Wilton Reassurance Insurance Customers: Approximately 1.5 million individuals.
  • Tennessee Consolidated Retirement System Beneficiaries: More than 170,000 individuals.
  • Talcott Resolution Customers: Over half a million individuals.
  • National Student Clearinghouse: Potentially significant breach in terms of numbers, impacting numerous educational institutions across the United States.
  • U.S. Universities and Schools: Numerous universities have fallen victim to the breach including UCLA, University of Rochester, and Johns Hopkins.
  • U.S. Department of Health and Human Services (HHS): More than 100,000 individuals affected, according to congressional notifications.
  • Banks, Consultancy and Legal Firms, Energy Giants, and more: Cl0p’s leak site includes numerous additional victims.

The consequences extend beyond individuals, with several notable organizations falling victim to the breach. The University of California-Los Angeles (UCLA), which used MOVEit Transfer to transfer files across campus and to other entities, is among the victims. UCLA spokesperson Margery Grey confirmed the university’s collaboration with the FBI and external cybersecurity experts to investigate the matter. She also stated that impacted individuals have been notified.

Mitigating the Vulnerability:
Given the severity and widespread impact of the MOVEit vulnerability, it is crucial for organizations to take immediate steps to mitigate risks and protect their sensitive data. Here are some recommended strategies:

  1. Update and Patch: Promptly update MOVEit Transfer and apply the latest security patches released by Progress Software. Regularly checking for updates ensures that known vulnerabilities are addressed, significantly reducing the risk of exploitation.
  2. Conduct Regular Vulnerability Scanning: With nGuard Vulnerability Management, your organization’s Internet perimeter or internal networks are continuously tested for new vulnerabilities. This provides your organization an effective and timely way to manage your security posture on an ongoing basis.
  3. Conduct Regular Security Audits: Perform comprehensive security audits to identify potential vulnerabilities within your networks and file transfer systems. This includes conducting penetration tests and vulnerability assessments to proactively identify and address weak points.
  4. Implement Multifactor Authentication (MFA): Enforce MFA for accessing file transfer systems to enhance authentication security. Requiring additional verification methods such as biometrics or one-time passwords (OTP), or acceptance of push notifications the risk of unauthorized access is significantly reduced.
  5. Employee Awareness and Training: It is critical to promote a top-down approach to the culture of cybersecurity awareness among employees by providing regular training sessions on identifying and responding to threats. These training sessions should include ongoing social engineering assessments. Educate staff on best practices for securely sharing sensitive information.
  6. Incident Response Planning: Develop a robust incident response plan that outlines steps to be taken in the event of a data breach. This includes establishing clear lines of communication, involving relevant stakeholders, and implementing recovery procedures to minimize damage and downtime. nGuard has years of experience helping customers create thorough and detailed incident response plans and information security policies custom tailored to their environments, needs, and particular GRC requirements and security standards.
  7. Collect Proper Logs: Have a proper Security Information and Event Management (SIEM) tool that collects, analyzes and correlates security event data from various sources to detect and respond to potential cybersecurity threats. This helps organizations improve overall security posture by providing real-time monitoring, threat intelligence, and incident response capabilities.

The MOVEit vulnerability has led to a significant data breach affecting millions of individuals and numerous organizations across various sectors. As the list of victims continues to grow, it is crucial for organizations to take proactive steps to mitigate new vulnerabilities. By following the mitigation provided, organizations can fortify their defenses and safeguard sensitive information from malicious actors. The battle against cyber threats requires collective efforts and ongoing awareness to ensure integrity and security.