The MOVEit attack is constantly evolving and this week a new update has occurred. Maximus Inc., a US government services provider is the latest victim of the Clop ransomware gang’s exploitation of a critical vulnerability within Progress Software Corp.’s MOVEit file transfer software. It is estimated that as many as 11 million people have had information stolen.
Maximus specialises in providing services for the US healthcare industry, specifically Medicaid, Medicare, health care reform, welfare-to-work and student loan servicing.
The company declared the incident to the U.S. Securities and Exchange Commission after becoming aware it had been impacted by the initial MOVEit vulnerability attack that has plagued organisations around the world. At present, it is unclear as to who the victims are or where they are from because Maximus also provides services outside the US, to countries such as Australia, Canada and the UK.
With the Clop ransomware group being attributed with the attack, Maximus joins a seemingly growing list of high-profiled companies that have been affected, which includes: the US Department of Energy, Shell, the BBC, British Airways and the University of Georgia.
We reached out to industry experts to gather their thoughts on this attack:
Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems:
“If ever there was an example of why you need to closely monitor and continuously evaluate the security of your suppliers and supply chain, look no further than the MOVEit vulnerabilities that were disclosed in June of this year. While the company behind MOVEit file transfer technology has released patches for the two zero-day vulnerabilities that were discovered in June, many large organisations aren’t very nimble when it comes to patching systems, even when critical vulnerabilities are exposed like this. This is perhaps the largest breach of this calendar year, but due to the challenge organisations have with patching their vulnerable systems in a timely manner, this won’t be the last breach due to MOVEit we hear about.
What’s interesting is that the company behind the MOVEit software appears to have all of its compliance-driven security checks and protocols in place, things like PCI-DSS and HIPAA, requirements to manage credit card and health PII, respectively. It is clear that these compliance frameworks are simply the starting point for security posture. Organisations that manage large swaths of customer data and sensitive personal information must perform regular and continuous audits of their systems, checking their configurations and versions for vulnerabilities. It is important to use multiple methods and vendors to perform rigorous security testing of your internal systems as well as the products you deliver to customers. This includes penetration testing but also establishing internal teams to perform continuous validation of your security. These can be enhanced with bug bounty programs that use monetary incentives to get ethical security researchers to test your systems. I’ve seen a fair number of SQL-injection vulnerabilities (like this one in MOVEit file transfer system) caught by ethical hackers working on bug bounties for key systems in the US government and beyond. This class of vulnerability is certainly not beyond the scope of regular programmes and security tools that have emerged in the past decade.”
Erfan Shadabi, cybersecurity expert at comforte AG:
“A breach in the healthcare sector is highly damaging due to the sensitive nature of the data involved. It exposes some of the most private personal and medical information of an already vulnerable section of the population, leading to identity theft, medical fraud, and financial losses for individuals and organizations. Such incidents erode trust, impact patient safety, and incur heavy legal and regulatory consequences. Organizations, especially in the healthcare sector, should prioritize data-centric security measures. By adopting robust data-centric security strategies, organizations can protect sensitive information at its core, mitigating the impact of potential breaches. Encrypted data, strict access controls, and continuous monitoring are essential components to safeguard personal and healthcare data effectively.”
Ray Kelly, fellow at the Synopsys Software Integrity Group:
“This massive exploit of the MOVEit vulnerability is yet another demonstration of the importance of securing the software supply chain when it comes to data privacy. The key takeaway for business leaders is clear—just a single vulnerability in one piece of a third-party vendors’ software can lead to the compromise and exposure of personally identifiable information across every organization that vendor services. Organizations should ensure that any third-party vendor performs regular security assessments across their entire portfolio and infrastructure, and also meets compliance policy standards such as GDPR and SOX. Unfortunately, adopting these practices is not a silver bullet and does not ensure your organization’s protection against a future ransomware attack via the software supply chain.”