MOVEit Transfer hack: What steps Middle East firms can adopt to counter attacks
A cyberattack on hundreds of banks, consultancies, legal companies, and energy giants in the US and UK has been ongoing since late May through the MOVEit Transfer hack, a tool used to share large files over the internet by corporations and enterprises.
The FIN11 hacker group — focusing on ransomware and extortion — has been listing the names of victim organizations on their shaming site since mid-June. For the latest headlines, follow our Google News channel online or via the app. While this attack hasn’t reached the region, organizations in the Middle East can stay one step ahead by adopting a “requirements-driven approach,” according to Jamie Collier, Senior Threat Intelligence Advisor at Mandiant, an American cybersecurity firm and a subsidiary of Google.
In an interview with Al Arabiya English, Collier said threat intelligence teams operate in resource-constrained environments. Yet the scale of cyber threats organizations face has never been greater, with recent research from Mandiant finding that 79 percent of security decision-makers make decisions without adversary insights the majority of the time.
Organizations that implement a ‘requirements-driven approach’ can significantly improve an intelligence program’s efficiency, utility, and value.
“It requires, though, a very clear strategy,” said Collier, a leader in threat intelligence with expertise gained on the frontlines of cyber security.
Collier added that, in simple terms, “it is crucial for an intelligence team to always focus on what their organization needs — these are called ‘requirements.’ A Cyber Threat Intelligence (CTI) team should start with these requirements and use them as a guide for all their work, from data collection to sharing insights with others.”
“When a report is completed and shared with the relevant people, the team should get feedback and revisit their initial requirements to ensure continuous and consistent improvement.”
According to Collier, the focus should always be on meeting the needs of the stakeholders and re-evaluating their requirements.
“This process never really ends, and it should be flexible and adaptable. If done right, it will help set standards, improve security, and make intelligence a key part of an organization’s security.” Collier said intelligence teams can build far more tailored intelligence products if they understand the unique context of their organization.
“For instance, if an intelligence team knows that a vulnerability management team is struggling to prioritize their patching efforts, reports on actively exploited vulnerabilities within an organization’s sector and region can provide dramatic efficiencies,” he said.
Regional trends in the growth of cybersecurity
“Companies and individuals in the Middle East are regularly targeted with phishing and spear phishing attacks. Everyone living in the region will be familiar with the fake text messages pretending to be from the Central Bank or the Police, attempting to trick you into giving away your bank details,” Renze Jongman, Threat Intelligence Advisor (MEA), Mandiant, told Al Arabiya English.
“But the problem is bigger than just small-time fraud,” he said. “For example, well-organized criminals, but also state-sponsored actors will target individuals with fake employment opportunities. Equally, companies looking for unique skill sets are often targeted with fake resumes. As soon as a recruiter opens the file, malware will be installed on the system.”
He continued, “Targeting specific companies or industries allows cybercriminals to zoom in on high-value targets, and espionage actors to collect classified and confidential information on very specific topics. After all, people looking for a new job will gladly talk about the work they have previously done.”
Mandiant recently published its M-Trends 2023 report, with insights on trends in the cyber threat landscape. The research shows that spear phishing (a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim) is the single most used attack vector (a way for attackers to enter a network or system) in EMEA, while the use of exploit kits, used to automatically leverage vulnerabilities on a user’s system, is most likely to be used elsewhere in the world.
Jongman explained the ramifications of the MOVEit Transfer attack and the international incidents in the Middle East.
“The ransomware group FIN11, also known as Cl0P, is attacking organizations that use the MOVEit Transfer Software from Progress Software. Thousands of organizations use the software to securely transfer their files, including organizations in the Middle East,” Jongman told Al Arabiya English.
FIN11 modus operandi is to scan the internet for organizations that use the software and then try and exploit a vulnerability that Progress discovered in May. If they are successful, they will steal the data they find on the server and use it to extort the victim organization. FIN11 threatens to publish the stolen data online if organizations don’t pay the ransom.
“Attacks like these extend far beyond the organizations that lose their data: this problem also impacts average people. The volume of personally identifiable information that was stolen is significant, and once the data is leaked, other cybercriminals could download the data for identity theft, fraud, and phishing: a significant problem, especially in the Middle East,” said Jongman.
He said that organizations using MOVEit Transfer Software should take immediate measures to protect their data and customers.
“Progress Software released a series of patches that should be applied immediately. Mandiant has published a guide with additional guidance to help companies protect themselves.”