The MOVEit blunder - is SaaS software more secure?

MOVEit, a file transfer management software provided by U.S. based company Progress Software (formerly Ipswitch) is making headlines, as a critical vulnerability allowed attackers unauthenticated access and sensitive data exfiltration.

Thousands of organizations (mostly located in the USA and West Europe) are understood to use MOVEit in their operations, often for sharing files with external parties such as business partners or customers.

An important lesson

MOVEit is apparently not used much by customers here in South Eastern Europe, but nevertheless it's worth pointing a very important lesson for CIOs in this particular case: for customers installing an application by themselves (as opposed to consuming it as SaaS service), the attack surface and exposure proves to be much larger, and the threat hunting effort much more costlier. As with the Rackspace/Exchange incident, customers are finding out that the new threat landscape makes it increasingly difficult to run applications on-premise or separately from the software manufacturer.

In case of MOVEit, the vendor is actually playing a dual role: one is manufacturer of software packages to be installed and maintained by customers (the traditional approach), and the other is software-as-a-service provider (SaaS), offering a service called MOVEit Cloud. Although this service was also targeted by attackers, it's useful to see that the incentives to fix are much higher with the SaaS provider than when the responsibility to patch is on the customer side.

To get a sense what the SaaS provider is doing to ensure the continuity of its service (in fact, revenue survival), read the MOVEit Cloud advisory here. Following the discovery and escalation of the vulnerability, the company took down HTTP and HTTPs traffic to MOVEit Cloud and re-enabled them only once patches were deployed on May 31st. By that time traditional self-managed customers were only beginning to be notified about the vulnerability and patch existence, with many systems still vulnerable to this day (mid June).

The company behind MOVEit SaaS service also developed specific monitoring signatures on their servers to track any ongoing exploitation attempts, and engaged an outside cybersecurity firm to conduct a forensic investigation and assess the extent and scope of the incident. This apparently resulted in the discovery of an additional security vulnerability on June 9th that could potentially be used by a bad actor to stage an exploit. The SaaS service was patched even before an official CVE id was assigned for that new vulnerability, while self-managed customers are due for further patching and remediation steps, as of this writing.

The outcomes are clear: for MOVEit Cloud customers the incentives to fix are heavily centered on the SaaS provider, whose service "survival" depends on fixing the issue, benefiting all customers. Self-managed customers on the other hand will get a delayed response by definition: publishing, distributing and finally installing patches takes time, and few customers have the resources to react promptly and perform in-depth threat hunting following a breach.

As this case illustrates, looking to "outsource" application to SaaS is therefore a sound risk management strategy. CIOs and decision makers should consider it to increase overall security posture.

About the MOVEit vulnerability

The MOVEit vulnerability, tracked as CVE-2023-34362 was disclosed in late May, after several security vendors found evidence of active exploitation in the wild, where exploitation is often followed by deployment of remote code that enables automated file exfiltration. Microsoft has already attributed the attacks to a well known threat actor operating various ransomware schemes such as the Clop extortion site.

Threat actors are often ahead of zero-day researchers and vendor patching efforts: vulnerabilities weaponized before being disclosed or patched seem to be getting more frequent. In the case of MOVEit, active exploitation was already happening before the vendor had time to issue a patch.

Companies such as British Airways, BBC and Aer Lingus have been apparently exfiltrated and now face extortion requests with the risk of exposing their stolen data to the public domain (privacy violations are likely to follow).