On Monday, November 11, Amazon confirmed a data breach that impacted its employee data. The breach, linked to the infamous MOVEit Transfer vulnerability, underscores the far-reaching consequences of last year's major supply chain attack.
The MOVEit vulnerability (CVE-2023-34362), first exploited in May 2023, allowed unauthenticated attackers to gain unauthorized access to vulnerable systems. This critical SQL injection flaw enabled cybercriminals to bypass security measures and potentially steal sensitive data from hundreds—likely more than 1,000—organizations worldwide.
Amazon fell victim to this widespread attack through a third-party property management vendor. This incident highlights the importance of strong security practices throughout entire supply chains, as a single compromised vendor can have devastating consequences for its clients.
The online retail giant confirmed Monday that some employee data, including names and email addresses, was obtained by a threat actor in a breach that impacted a third-party vendor.
The threat actor responsible for the breach, known as "Nam3L3ss," has been actively exploiting the MOVEit vulnerability to target numerous organizations. The group has been observed leaking stolen data, potentially putting individuals and businesses at risk.
Along with Amazon employee names and email addresses, the stolen data also included phone numbers and locations where the employees worked, an Amazon statement said.
The third-party vendor breached in the attack was not identified.
"We have seen this trend many… I mean MANY times where a company is breached due to a relationship with a third-party. When events like this happen, it is a good time for us as cyber practitioners and leaders to reflect on your organization," said Reanna Schultz, Founder of CyberSpeak Labs LLC and host of the Defenders in Lab Coats podcast. "This can be a reminder to work with your legal department and review contracts with third-party vendors. Security is a financial risk, especially if these vendors have access to your environment or if sensitive information (like PII) is shared."
The MOVEit data theft and extortion attacks in May 2023 impacted a significant number of individuals and organizations globally. MOVEit, a file transfer software developed by Progress Software, was exploited by the Cl0p ransomware group, which used a Zero-Day vulnerability to steal sensitive data from organizations using the software. Shortly after the attacks, the SEC launched an investigation into Progress Software.
As of August 2023, it's estimated that around 40 million individuals and more than 2,500 businesses were affected across various sectors, including healthcare, government, finance, and education.
Notable organizations hit include major financial firms, government agencies, and educational institutions worldwide. Oil behemoth Shell was among those affected, for instance. The New York City Department of Education and the Oregon DMV are other prime examples of organizations affected.
Hudson Rock has an impressive list of organizations affected, also including huge brand names such as MetLife , Cardinal Health , HSBC, Fidelity, U.S. Bank, HP, Delta Airlines, Leidos, Charles Schwab, 3M, and hundreds more.
Many affected businesses and institutions reported extensive data breaches, including employee information, customer records, and other sensitive details. The compromised data often included personal identifiable information (PII), health records, and financial data, leaving millions of individuals vulnerable to identity theft and fraud.
"When a data breach occurs, already having documented escalations and legal disclosure with communication aligned is crucial. An organization should not wait until a breach occurs to put these processes and procedures in place or to start having these discussions," Schultz said. "Additionally, this is a good time to reflect on your critical servers in a business's infrastructure. Are these critical systems external facing or do they have exposed ports? In cloud environments, utilize the built-in defenses like GuardDuty or Azure Defender. These security deployments will let a security team or developer know if something is externally exposed."
The FBI and other government entities took these steps in response:
- Investigation and attribution: The FBI and cybersecurity agencies began investigating, collaborating with international cybersecurity entities to attribute the attack to the Cl0p ransomware group.
- Public advisories: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued advisories to help organizations understand the vulnerability, implement patches, and bolster defenses.
- Tracking and mitigation efforts: Law enforcement and intelligence agencies monitored and traced ransom activities and financial channels associated with Cl0p to deter future extortion attempts.
"The MOVEit incident really highlights one of the soft underbellies of cybersecurity: insecure third-party software tools. There are other software tools like this that are widely used across U.S. companies that aren't routinely tested or meet any specific cybersecurity criteria," said Richard Halm, Senior Attorney, Clark Hill PLC. "Given the increased tensions with China in the cyber domain, it's also a national security issue."
Halm continued, "I think this is where CISA's attempts at forging an industry consensus around its 'Secure by Design' initiative is so important. If that fails, we'll likely see more catastrophic supply chain incidents and, eventually, more rigorous government regulation on the makers of software around the security of their products."
As Halm said, the MOVEit incident highlights the vulnerabilities in third-party software and the need for regular updates and security patches to avoid exploitation by increasingly sophisticated ransomware groups. The response from both private and public sectors illustrates an evolving approach to threat intelligence, rapid mitigation, and inter-agency collaboration on a global scale.
"Companies need to continually monitor the Darkweb for credentials related to their own organization and limit exposure to the public related to organizational structure and roles to reduce risk," said Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit. "In light of this type of breach, companies should prepare by doing a review of what may be at risk, shoring up anti-phishing methods and awareness measures, doing backup and resiliency testing, and having appropriate communications plans in place.
Dunham added, "Tabletop programs are an excellent method for simulations and identifying readiness gaps and improvements needed. This should be coupled with framework-driven operations and SecOps at the helm, powered by cyber threat intelligence (CTI)."
"The biggest risks of this data breach seem to be towards the employees themselves, as well as identity theft. Taking steps to provide tools for employees and former employees to safeguard their identity is extremely important," said John Bambenek, President at Bambenek Consulting. "Beyond that, the data is somewhat dated, which certainly helps. However, anyone caught in these breaches could be a target of a phishing attack designed to exploit deeper knowledge of their organization. Employees should be trained to spot these kinds of things to verify inbound communication, via phone, via email or via video calls, to be authentic."
