The CyberWire: MOVEit bug impacts state governments. Johns Hopkins suffers data breach.

NetSPI EMEA Senior Security Consultant Tyler Sullivan shares supply chain security insights surrounding the MOVEit CVE with CyberWire Pro. Read a snippet below, or find the full article at https://thecyberwire.com/newsletters/privacy-briefing/5/115.

+++

Speaking of the MOVEit bug, US research institution and medical center the Johns Hopkins University has disclosed it suffered a cyberattack connected to the vulnerability. A notification letter sent to the university community states that the incident “may have impacted the information of Johns Hopkins employees, students and/or patients.” Officials say an investigation is ongoing, and that it does not appear that electronic health records were impacted. Cybersecurity expert Bill Sieglein told WBAL 11 News, “This was called a ‘zero-day attack,’ meaning the attackers, who are out of Russia, a group known as CLOP, they discovered a vulnerability in this piece of software called MOVEit. MOVEit is a piece of software that allows you to move large data files between networks and between systems. They found a vulnerability before anybody knew about it and, all at once, launched an attack worldwide.” 

Tyler Sullivan, Senior Security Consultant at NetSPI, commented on the implications of this instance of MOVEit exploitation for software supply chain security. “Following the recently disclosed, widely exploited vulnerability in the MOVEit file transfer product, multiple organizations have disclosed they’ve been affected despite not being first-hand users of the technology — due to the complex software supply chain ecosystem,” Sullivan wrote. “To slow third-party software vendor-based attacks, a paradigm shift is required, from standard perimeter-based networks to a Zero Trust architecture. Additionally, it’s critical for organizations to minimize the attack surface and reliance on the supply chain – this means decreasing the amount of third parties used and regularly auditing them for any security gaps. There is not a single responsible party for the supply chain, it’s down to the vendors, the repositories, the software consumers and the developers. The second half of 2023 should be when we see meaningful progress by all parties involved to control the supply chain and ensure it can be used in a secure way.”

You can read the full article here.