The CLOP MOVEit Vulnerability:
Rite-Aid & The Eternal Zero Hour
Threat
No recent event points out the importance of the prompt patching of
software more than does the
CLOP MOVEit attack. The most recently announced victim of consequence to
people everywhere in these US of A is Rite-Aid
Corporation.
Rite-Aid was hacked on May 27, 2023.
Rite-Aid calls this event "a security
incident." The cyberattack Rite-Aid most likely
fell victim to was a
Zero Day, or Zero Hour, attack of the CLOP MOVEit
vulnerability.
On May 31, 2023, we were informed by a vendor partner of ours that there was a vulnerability in their software, and it had been exploited by an unknown third party. To address the defect, the vendor provided a software update.
No where in its "Security Incident Notice" did Rite-Aid Corporation mention the words CLOP MOVEit, but the attack has all the hallmarks of that virulent cyberattack, with victims yet unknown still. I am sure that many Rite-Aid customers, who may now know that Russian crooks have their "prescription information including medication names and dates of fill, prescriber information," are more than a bit upset about the situation. I know I am. Yet, neither Rite-Aid Corporation nor the presumed vendor knew that, on the first date of the Rite-Aid attack, the software had a critical, yet unpatched, vulnerability: a perfect Zero Hour attack.
Of course, the Rite-Aid attack is another example of how the entities victimized by MOVEit had no defense against the attack in the first days of the attack. Between May 27, 2023, until the initial patch on May 31, 2023, the attackers had free reign within Rite-Aid's network. Although the initial vulnerabilities had been patched, another MOVEit vulnerability had yet to be patched by Progress Software until the second week of June. According to BleepingComputer, June 9, 2023 was the date when "all MOVEit Cloud clusters have already been patched against these new vulnerabilities to secure them against potential attack attempts." On July 5, 2023, Progress Software announced "in response to customer feedback, the MOVEit team has formalized a regular Service Pack program for all MOVEit products." Hopefully this Service Pack update regimen will make it easier and more timely for network admins to keep their systems up to date and in compliance with all regulatory demands.
As Consumers, we can only hope and assume that the Network Admins at Rite-Aid Corporation are now daily monitoring what updates and patches are available to keep their systems safe. And that all updates are applied promptly. Timeliness is critical here. Recent research by edgescan.com, showed that the time between the Zero Hour attack and remediation and patching of that vulnerability remains at too many calendar days. This time period is called "mean time to remediation (MTTR)." According to Edgescan, the average time taken to "remediate internet-facing vulnerabilities rated as Critical was 65 days." For two months, the crooks will have free reign within victims' systems.
June 14, 2023, comparitech.com posted an easy to digest summary of Cybersecurity vulnerability statistics and facts of research done by security vendor, Edgescan, and others. Comparitech's summary of research showed that over half of vulnerable Internet facing applications are considered Critical. Microsoft defines a "Critical" vulnerability as:
A vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.
MS completes this summary definition with the following admonition to all its customers:
Microsoft recommends that customers apply Critical updates immediately.
The importance of software updating is by now common knowledge among most informed Consumers, or so I like to think. Consumers also rightly assume that the entities Consumers interact will also demonstrate constant vigilance to stay aware of all software patches that their systems need. A simple command that is difficult to implement in the hurly-burly of today's business climate.
Unfortunately for most Consumers, there are too many entities to which the former applies. Patch management is now almost a full time job for an entity of any size and consequence; but management for the most part has yet to realize that patch management is simply a new cost of doing business. Nevertheless, given all the entities now facing class action lawsuits over being hacked by the MOVEit vulnerability — with Rite-Aid surely to be soon added to that growing list of litigants — these entities will eventually come to realize that it is cheaper and more cost effective to have someone in place whose sole job it is to manage the patching of computer systems. Yeah. Right.
All of the above pertains to Zero Hour software vulnerabilities. Zero Hour Vulnerabilities within the software that is embedded into hardware, and the mitigation of those vulnerabilities, is a far more difficult issue to address.
July 13, 2023, Forescout Research – Vedere Labs, published a report entitled, "The 5 Riskiest Connected Devices in 2023: IT, IoT, OT, IoMT." Forescout divides technology usage into four groups, and then ranks the "riskiest" devices in that group.
✓ IT is what
most of us consider Computing in general. This includes
PCs, servers, and routers.
And, in
a sad commentary of our times, is the ironic fact that the "Security
Appliance" is now
the fifth "riskiest"
device in our IT infrastructure.
✓
IoT is what is called the Internet of Things:
Most risky in this category are Network Attached Storage,
printers, and IP connected cameras.
✓ OT is
Operational Technology.
On June 28, 2022, I introduced to
readers the concept of Operational
Technology. OT refers to technology used to regulate Critical
Infrastructure, like water
treatment
plants, for instance.
✓ IoMT is
Internet of Medical Things. IoMT includes devices most Consumers
have some familiarly with.
"Risky"
IoMT devices includes the PC workstation on which the nurse
records your vitals;
electronic imaging devices, (X-Rays). This type also
includes Nuclear Medicine Systems;
and recently added for this year are blood glucose monitors.
Just as the MOVEit vulnerability attack on Rite-Aid brought the issue of
software patching home to Consumers, the fact that IoMT devices have
made Healthcare "the riskiest industry in 2023"
should be of some concern to Consumers of Healthcare goods and services.
Forescout research determined that, although IoMT devices had the fewest
number of vulnerabilities, "80% of them are critical, which
typically allows for complete takeover of a device." Here
is the one fact concerning IoMT devices readers can easily understand: "35%
of IoMT devices that run Windows are on legacy versions of the OS."
Ibid. Windows
7 is alive and not so well within the practice of medicine, in this the
Year of Our Lord, 2023. Oh, Lord, indeed!!
In a post of July 12, 2023,, it was discussed how CISA is asserting its authority to demand that administrators to patch those hardware/software interfaces in situations where those vulnerable devices intersect with government networks. No such governing authority yet exists, however, to command strictly private industries to enforce proper and timely patch management. Leaving many sectors in Western Economies the world over defenseless against Zero Hour cyberattacks on their infrastructure.
As long as the position of most actors in many sectors of the economy is to be reactive, and wait for an attack to occur, too few hardware vulnerabilities will ever be corrected. Assuming mitigation techniques exist for any one device, applying mitigation usually requires taking the device or system out of service, and thus creating a disruption to whatever part of the enterprise the device is needed to service.
The current series of this blog began with a very sad, but cautionary, tale about the story of Nicko Silar: Born: July 17, 2019 — Died April 16, 2020. The functional operations of the hospital where Nicko's Mom went to have Nicko delivered were shut down due to a ransomware attack — a cyberattack which the Hospital Director denied had occurred. From there on, a very disturbing chain of events led to delivery complications and ultimately Bay Nicko's death less than twelve months later. Three years later, the most number of victims of the CLOP MOVEit vulnerability are Heathcare facilities. Healthcare is now judged to be "the Riskiest" of computer technologies. And thus healthcare can now be quite unhealthy for us all.
The single question that has puzzled me for over twenty years now is this: With so many people getting all riled up over really innocuous events and happenings, why does the public at large shrug its collective shoulders at this real and present danger now looming over all of us? I mean, is it too much to ask that, when we get our meds at the local pharmacy, the Russians; the Chinese; the Iranians; the North Koreans; and all the other groups, small, medium, or large, who feel they are at war with Western Civilization — indeed seemingly at war the modernity itself — not be participants in our simple pharmacy transactions?
Ain't no use jiving
Ain't no use joking
Everything is broken
— Everything Is Broken, Bob Dylan
¯\_(ツ)_/¯
Gerald Reiff