Thought Leadership

Jun 21, 2023

MOVEIt Vulnerability: A Painful Reminder That Threat Actors Aren’t the Only Ones Responsible for a Data Breach

In this latest set of breaches involving the Ipswitch MOVEIt managed file transfer we encounter three familiar actors and one real victim.

The MOVEIt data breach continues to impact a number of both private and government groups across the US and Europe by exposing confidential data. With breaches like this becoming increasingly common, it can be easy to blame advanced persistent threat (APT) groups and other malicious actors; however, there is a valuable lesson to learn from the MOVEit breach: it is essential to be proactive about these threats, Not doing so may lead to a breach. I’ve put together this blog post as a reminder that security organizations—and quite frankly, boards and executive leadership—should view internal security threats just as seriously as external ones when it comes time to protecting their organization’s sensitive information.

Unpacking the Responsibility of Securing Customer Data

The Cl0p Ransomware Group

First and most obviously, we have the Cl0p Ransomware group. Some may remember them from the Fortra GoAnywhere set of breaches. It appears that the Cl0p group found a vulnerability in another Managed File Transfer (MFT) system. The specific vulnerability in MOVEIt (which is a SQL injection) appears to be different from the one in GoAnywhere (an unsecured administrative interface). Both included an unauthenticated user being able to leverage the vulnerability and gain privileged access to data stored on the servers. 

Cl0p seems to have followed the same playbook, once they were able to verify the vulnerability – they immediately started to look for more systems that run the same MOVEIt platform, knowing that they can access a wider range of victims. It is important to note that Cl0p doesn’t seem to care about the type of victim, as long as they can breach them. They attacked health organizations, financial organizations, utility companies, universities, and even government agencies. 

The Software Vendor

While the Cl0p group is clearly the malicious actor here, some measure of accountability must lie with the software vendor – Ipswitch. The vulnerability appears to be rooted in a SQL injection when using the web interface of the MOVEIt software. Considering that Ipswitch promotes MOVEIt as a secure file transfer, I find it alarming that SQL injections are still not properly accounted for. The Open Worldwide Application Security Project (OWASP) lists such injections as the third top security risk in their industry-standard Top 10 Web Application Security Risks. This should lead anyone to question Ipswitch’s secure software development life cycle (SSDLC). 

Vendors must begin to seriously implement practices to ensure that their software products are secure by design. To quote CISA, this means that “every technology provider must take ownership at the executive level to ensure their products are both secure by design and secure by default.” Security is no longer exclusively the realm of the CISO. Software should not be deployed, and then hardened. It should come hardened, making the user secure by default.

Ipswitch Customers

Of course it’s easy enough for us to place blame solely on the software vendor and the malicious actors. Unfortunately, responsibility for this breach doesn’t end there. It’s a harsh reality that CISOs, IT teams, and cybersecurity experts have to face every day: data breaches are no longer just a threat posed by malicious actors. This latest incident is proof of how even seemingly innocuous internal error can open up serious security risks—unless steps are taken quickly to make sure mistakes don’t end in disaster.

So now, let’s talk about the customers who used MOVEIt and were breached as a result of Cl0p’s ability to take advantage of the SQL Injection vulnerability. While arguably these customers are the victims of these cyberattacks, they are in some ways just as culpable as the vendor. 

Just because a piece of software claims to be ‘secure’ doesn’t mean that it is. Customers must always validate that the software they use is secure, and is configured in a way that can protect against cyberattacks. There is also something to be said that the MFT servers should only hang on to the files for the minimal duration needed to transfer the files from one location to another. From the little information that is available, it would appear that Cl0p exfiltrated large amounts of data that was available on the servers themselves.

What we can take away from the MOVEIt Breach

The real victims in this latest set of breaches are the consumers whose information was included in the breach. If the Fortra GoAnywhere breach is any harbinger, we can expect that millions of individuals will be affected by this mass breach event.

There are several key lessons that this incident should instill in us:

  • Financially motivated threat actors do not care about what your company does. Just because they started with a bank, does not mean that if you’re a health company that you will be spared. You must assume that they will try to attack your organization as well.
  • Software vendors must adopt CISA’s Secure-by-Design and Secure-by-Default principles. Don’t assume that your client knows how to secure your product. Follow Secure-by-Design to minimize potential vulnerabilities in your product. Follow Secure-by-Default so that your customers are more secure at the point of deployment.
  • Just because a piece of software has the word secure as part of its marketing collateral, it does not mean you can just put it in, and expect for it to be secure. In this case, it would appear a simple Web Application Firewall would have potentially stopped Cl0p from being able to leverage the SQL injection vulnerability. You must validate your security control, especially considering the threat landscape.
  • Companies must also follow the secure-by-design principle that CISA is promoting. Sensitive data should not be allowed to linger in a location that is meant to be a temporary transfer system.

In addition to continuous testing and audits, look out for the latest cybersecurity alerts, as they can serve as a warning sign for where and how to test for potential security gaps. (I would be remiss not to mention that SafeBreach proudly carries a 24-hour SLA on all US CERT and FBI alerts that ensures that all relevant TTPs will be in our platform, ready to deploy within 24 hours of the announcement.) By following these best practices regularly, we can better protect ourselves from cyber-attackers like Cl0p ransomware group and limit the impact of any potential data breach.


Does the MOVEIt vulnerability affect your organization? It’s never too late to validate.

Are you confident that your existing security controls can fend off even the most devious attack techniques out there? If not, it’s time to take action with SafeBreach’s Breach and Attack Simulation (BAS) platform. Our platform includes the behavioral attacks used by Cl0p and boasts the largest and most up-to-date playbook of any BAS provider in the industry.Start validating today. Book a personalized demo to see the platform in action.

Get the latest
research and news