Threat Research: Ransomware Attacks on Software Supply Chains & Effective Mitigation 

The recent wave of ransomware attacks targeting software supply chains, such as the exploits on MOVEit, GoAnywhere, and 3CX Desktop Client, highlight the escalating threat landscape and the need for robust security measures. This strategic intelligence article examines the trends observed in these attacks and the broader implications for organizations using similar software. It provides an assessment of the risks and offers strategic recommendations for mitigating these threats, including considerations for vendor relationships. 

Software Supply Chain Attacks Trends 

The ransomware group Clop, known for its technical sophistication, has leveraged zero-day vulnerabilities in popular enterprise file transfer solutions to conduct large-scale attacks. Unlike traditional ransomware groups, Clop exploits supply chains to rapidly compromise numerous organizations in just a few days. This trend raises concerns about the vulnerabilities present in software systems and the need for proactive security measures. 

Risks and Implications of Software Supply Chain Attacks 

The successful exploitation of vulnerabilities in MOVEit, GoAnywhere, and 3CX Desktop Client demonstrates the severity of supply-chain attacks. These incidents reveal the following key implications: 

• Heightened Exposure: Software solutions in the managed file transfer (MFT) category, including MOVEit, often store sensitive data. The compromised data may include highly regulated information, intellectual property, or sensitive organizational data. The exposure of such data poses significant risks, including legal and reputational damage. 

• Evolving Tactics: Clop’s adoption of a new approach by publicly announcing the attacks and demanding ransom payments increases the pressure on organizations. This tactic aims to maximize the impact on vulnerable versions of software and further enhances Clop’s reputation within the cybercriminal underground. 

Mitigation Strategies for Software Supply Chain Organizations 

To effectively mitigate the risks associated with software supply chain attacks, organizations should consider the following strategies: 

• Evaluate Data Exposure: Assess the data stored in MFT solutions, whether on-premises or in the cloud. Identify the sensitivity of the data and determine the extent of potential exposure. This evaluation will inform decision-making regarding engagement with threat actors and the subsequent response. 
• Strengthen Managed File Transfer (MFT) Solutions: Understand the public footprint of MFT solutions and implement measures to harden their security. This includes restricting public access, implementing firewall rules, and promptly applying software patches to mitigate vulnerabilities. 
• Effective Detection and Response: Enhance detection and response capabilities to minimize the impact of zero-day exploits and rapidly detect malicious activities. Evaluate logging capabilities and ensure that logs are enabled and securely stored for future analysis and incident response. 

Considerations for Vendor Relationships 

To effectively address the risks associated with software supply chain attacks and vendor relationships, organizations should consider the following: 

• Third-Party Risk Management: Engage with third-party vendors to understand their use of vulnerable software and assess their level of exposure to potential attacks. Collaborate with vendors to align security measures and ensure effective risk management. 
• Incident Response Collaboration: Establish communication channels with vendors to facilitate incident response efforts. Coordinate incident response plans, information sharing, and joint efforts to address any potential compromises. 

Lessons from Previous Supply Chain Attacks 

Drawing parallels with previous supply-chain attacks, such as the SolarWinds incident, organizations must learn from past experiences to enhance their security posture: 

• Conduct Tabletop Exercises: Conduct tabletop exercises that simulate extortion scenarios and evaluate the organization’s ability to respond effectively. Involve operational and leadership teams to address tactical and strategic aspects of ransomware and extortion response. Use the exercises to inform future planning and budgeting activities. 

• Collaborate with Law Enforcement Agencies: Establish relationships with local law enforcement agencies, such as the FBI, to seek assistance in case of ransomware attacks. While they may not directly assist with data extortion, they can provide valuable guidance and support in decrypting ransomed 

Our Critical Start Cyber Research Unit (CRU) is actively monitoring the situation and has issued an initial threat advisory for our customers. This advisory will be continuously updated as new information emerges. Additionally, our Threat Research Unit has initiated evaluation of detection implementation on behalf of our clients who utilize MOVEit and have those logs monitored by our MDR. If any other Critical Start customers have implemented MOVEit in their environment, we urge them to contact us promptly so that we can provide assistance tailored to their specific needs.