Chain reaction

MOVEit Transfer is a managed file transfer application that allows organisations to transfer files automatically and securely, which is available hosted on premises (MOVEit Transfer) or in the cloud (MOVEit Cloud).

The recent MOVEit hack had several victims including Zellis, the UK payroll software and service provider whose clients’ employee personal data was compromised. Since then, the number of organisations affected has grown steadily, with victims including UK and US public and government institutions as well as private organisations, with the most recent announcement identifying two large accountancy firms. 

The timeline is interesting, with several vulnerabilities reported since the end of May, when Progress Software reported the first vulnerability, a zero-day SQL injection allowing attackers to execute SQL commands providing access to the application database. Progress took action on MOVEit Cloud, released patches and provided mitigation instructions for MOVEit Transfer. It then enlisted cyber security firm Huntress to conduct further investigation, which identified additional vulnerabilities on 9 June. Another SQL injection vulnerability was publicly identified by a third party on 15 June.

Additional patches have been released for these. If your organisation has been affected, it is important you review and immediately follow the vendor instructions to patch and or upgrade your systems as necessary. ICAEW has created a more detailed analysis of the attack and how to mitigate such risks.

Microsoft response to attacks

At the beginning of June, Microsoft suffered a number of Distributed Denial of Service (DDoS) attacks that affected several of its web portals including Azure, Outlook and OneDrive, impacting availability. Such attacks are not easy to successfully perform on organisations of the scale of Microsoft, as it requires the ability to control a significant number of computers. However, a successful attack would make a greater impact.

Microsoft believes hacktivists were behind the attack. They likely had access to and utilised multiple virtual private servers (VPS), rented cloud infrastructure, and DDoS tools to perpetrate the attack.

For affected organisations, it has provided an overview of the attack and recommendations to mitigate including using protection services such as the Azure Web Application Firewall and tips for controlling traffic to and from applications hosted in Azure.

As with the MOVEit incident, taking prompt action and following the steps recommended by software vendors such as patching and updating firewall rules can significantly reduce the chances of having your services or data impacted.

LockBit’s dominance

The UK National Cyber Security Centre (NCSC) and agencies from the United States, Australia, Canada, France, Germany and New Zealand issued a joint advisory on 14 June warning about the continued international threat caused by LockBit ransomware, and providing advice on how to manage the risk.

Ransomware is a type of malicious software (malware) that prevents access to systems or data by encrypting it with the perpetrators demanding a payment or ransom to restore access.

LockBit is the most common type of ransomware, created by a group of the same name, and the NCSC believes that it presents the highest ransomware threat to UK organisations. It was responsible for the majority of ransomware attacks in 2022, and has been responsible for several attacks this year including the attack on Royal Mail in February.

One of the things that makes Lockbit so prolific is that it operates a Ransomware-as-a-service (RaaS) model, in which it sells access to malware and services in carrying out attacks to other cyber criminals.

The advisory highlights this risk, as well as the risk of double extortion whereby criminals not only encrypt the data to prevent access, but also both exfiltrate it and threaten to sell or make it public if payment is not made.

If affected by a ransomware attack, NCSC and law enforcement bodies advise not to pay the ransom, as it not only encourages criminals to continue attacks, but there is no guarantee that you will get your data back or that it will not secretly be sold to cyber criminals anyway.

The advisory recommends various activities to prevent and mitigate LockBit attacks, including managing account privileges, keeping operating systems, software, and firmware up to date, raising awareness of phishing attacks and maintaining secure, offline backups and implementing an effective recovery plan.

The NCSC ransomware hub also provides further guidance on how to manage the risk from ransomware more widely.

A chartered cyber security profession

The NCSC announced this month that its Certified Cyber Security Professional (CCP) scheme will close to new applications from 30 September 2023, and the scheme will be replaced by the UK Cyber Security Council (UKCSC) chartership title specialisms. There are three professional titles aligned to the Council’s professional standard; Associate, Principal or Chartered. Existing CCP certifications will continue to be recognised until the last certifications expire in December 2026.

Having a chartered cyber security profession will provide a way for businesses to have better assurance over the capabilities of those they engage to provide cyber security services. Requiring that their suppliers employ individuals with chartered cyber security status to perform their cyber activities may also help to reduce supply chain risks and provide more confidence in the suppliers’ cyber risk management.

UKCSC was set up by the government in February 2021, and its mission is to ensure and maintain the UK’s global leadership in the cyber industry by developing a national cyber security professional standard which includes expanding cyber skills and knowledge and promoting high standards of conduct and expertise for the benefit of the public. It took over management of the CCP scheme from NCSC in 2022.

The option and assessment criteria to top up and transfer from a specialism-based CCP certification to a professional title aligned to the Council’s professional standard is currently available for practitioners with certifications related to the specialism of cyber security governance and risk management. There are 16 recognised specialisms including audit and assurance.

Getting the basics right

With so much happening in the cyber world, it can seem overwhelming and difficult to know what to do. Getting the basics of cyber security right and implementing the NCSC 10 steps to cyber security will put you in a good position to prevent and respond to most cyber incidents.