Moving past MOVEit

Coalfire Assessment Team

August 4, 2023
Blog Images 2023 Coalfire Main Image Blog MOV Eit 800x420 FINAL

The MOVEit hack resembles successful cyberattacks from the past, leading us to ask if federal agencies and contractors are using all the tools, methods, and technologies available to ward off the same type of cyberattacks.

Key takeaways:

  • The cloud version of the MOVEit hack uncovered a wider base of casualties.
  • Stronger protections of digital systems lie in the stronger implementation of compliance frameworks.
  • Adherence to security regulations should not be considered optional, but as critical to cybersecurity.
  • Using a FedRAMP®-authorized file share cloud system integrates a baseline of security requirements including monitoring, identification, prevention, mitigation, and remediation for all cloud environments.

IoT, big data, and cyberattacks

In this digital age, the world is inundated with information, and more time is spent paying attention to the data versus thinking about how to protect it. As we move to more connectivity with the Internet of Things (IoT) and big data expands, the demand for more platforms to house and access the data is expanding at an exponential rate. At the same time, cyberattacks have become the new norm. While technology connects us, brings the world together, and ignites innovation, it has an increasingly large target on its back.

For example, the MOVEit hack. This was the cloud managed version of the service that the Russian ransomware group Cl0P takes credit for exploiting; a vulnerability that the software developers discovered several months ago. The federal government and agencies were users of this software.

Learning from past errors

Today’s compliance frameworks are implemented via laws, executive orders, directives, regulations, policies, and standards. Yet they are often treated as guidelines and suggestions instead of requirements. To strengthen our nation’s cybersecurity defense, we must know what we are defending against, namely terrorists and other outside foes of the United States. However, we must defend with equal strength against insider threats, intentional or not.

Aside from the federal government, the MOVEit attack impacted many industries. Some entry points were contractors operating information systems on behalf of the US government. Similar events have transpired in the past, such as the OPM hack of 2014.

While the Russian group Cl0P has taken credit for the MOVEit hack, they were doing what they do best; finding vulnerabilities and exploiting them. While MOVEit could have been a targeted attack, it’s also possible that the hackers did not know who the users were, and unfortunately, it just happened to be the US government. Regardless of end-user, were there ways that the hack could have been thwarted?

Mitigating attack vectors with FedRAMP

In the case of MOVEit, the Federal Risk and Authorization Management Program (FedRAMP) is essential. Let’s look at some facts and a few ways this could have been prevented.

One, the makers of the MOVEit software failed to patch or remediate the vulnerability leading to the hack when it was discovered. Second, a key factor in this hack is that MOVEit was not FedRAMP-authorized. Using a FedRAMP-authorized file share cloud system integrates a baseline of security requirements and ensures that baseline has been met, allowing continuous monitoring activities to occur and providing accountability in the systems used.

But there is a loophole in this case. Contractors are only required to meet the standards of NIST 800-171 when they provide cybersecurity services to the federal government. So, they can use whatever cloud systems they choose, including cloud systems that are not FedRAMP-authorized. The lack of consistent compliance standards explains why so many of the affected agencies were compromised.

To protect our systems, federal agencies must use cloud systems that have accountability. Without accountability in place, the processes to verify that software is used with the same level of security as federal information systems are impossible; contractors mandated to do the same only yields to stronger systems.

FedRAMP has been codified as a federal law since December 2022, and gives agencies the accountability needed and provides the ability to make this determination. Wide adoption of FedRAMP will lead to stronger systems, but that goal isn’t attainable without taking action against rogue systems that don’t meet the baseline requirements.

The reason FedRAMP is so vital here leads us to flaw remediation. To receive an authority to operate (ATO), FedRAMP requires monitoring, identification, prevention, mitigation, and remediation for all cloud environments.

These environments must meet the federal mandates for cybersecurity such as using FIPS-validated encryption, TLS, DNSSEC, and additional protections. If the developers of MOVEit were FedRAMP-authorized when the vulnerability was discovered, they would have had to report it, remediate, or patch it within a certain timeframe.

FedRAMP is not a silver bullet without follow-through

Although the FedRAMP program will not stop all cyberattacks, the proper implementation significantly lessens the probability of successful cyberattacks. Part of that accountability is having processes in place to choose appropriately protected cloud services.

The federal government has faced many challenges migrating to the cloud, but agencies being able to pick and choose any cloud service they want with no oversight is a big problem. Let’s work towards preventing federal exploitation by using the compliance frameworks in place, such as FedRAMP, DoD, and CMMC, among others, to protect our nation’s digital assets.