MOVEit Vulnerability Hit The OPM Resulting In A “Major Incident”

Yesterday, citing a report compiled by the Office of Personnel Management (OPM), Bloomberg reported that 632,000 Justice and Defense department employee email addresses were accessed in a hack earlier this year. 

Hackers obtained access through the MOVEit file transfer tool used by data firm Westat who OPM uses to administer employee surveys.  

OPM described the hack as a “major incident,” although the agency believed that compromised data was “generally of low sensitivity”, not classified and aside from emails, may have included links to government employee surveys and internal agency tracking codes, according to the OPM report. 

Emily Phelps, Director, Cyware had this comment:

   “MOVEit transfer attacks have impacted organizations across industries and sectors. While a layered security approach – multifactor authentication, regular patches and updates, intrusion detection and prevention systems, etc. – play a major role in defense, we must enable organizations to adopt more proactive cybersecurity methods. Organizations need a combination of human expertise and advanced technology that can play well together in order to outpace well-coordinated adversaries. They must also be enabled to connect the dots between disparate tools and tech and team silos so the right intelligence gets into the right hands to take the right actions.”

Corey Brunkow, Dir of Eng Operations, follows with this:

   “The classification of the following data and the breach as “of low sensitivity” to be lackadaisical in consideration of the power of data analytics in the hands of very un-sophisticated threats.  Forbes reports “The information included social security numbers, dates of birth, physical addresses and other information listed on a driver’s license.” 

   “All of this information in aggregate along with email addresses are perfect start points that basic hackers can use to generate a password spraying campaign at scale. Username = email address, Password = the 10,000 most used passwords tuned to be modified with data from these lists of “low sensitivity data”. Mandatory password changes for ALL tools configured with usernames consisting of these email addresses is likely a full day’s work for everyone involved, and if not managed properly with follow-up password audits could lead to future compromise of other capabilities.”

The carnage that MOVEit has caused is clearly not going away anytime soon. Thus you can expect more incidents like this one to come to light.

Leave a Reply

%d bloggers like this: