Ep7 | Confronting the MOVEit Zero-Day Exploit: A Race Against Time

Good afternoon. My name is Matt Howard. I'm the CMO at Virtru. I'm here today with my colleague, Dana Morris.

Hey, Matt. How's it going? Good. Thanks for being here, Dana.

Busy couple of days, as you know, we are with with the rest of the industry kind of responding to a zero day that was disclosed last week on May thirty first by progress software and their and their move it transfer file sharing service.

Seems like it's a pretty serious zero day that's actively being exploited in the wild as we've seen in the recent news updates, curious to kind of get your quick take.

Yeah. I mean, it does seem pretty serious.

It is at the root SQL injection, which is always pretty serious. I mean, you can get access to databases and do things you're not supposed to be able to do.

And, you know, I think progress software, it seems like they're doing all the right things, but you have the challenge of both the fact that they offer a cloud service where they can patch it, but then they have an option where customers could be running the software stack All those customers are responsible for taking any patches. So you just got this challenge of time and how fast can you actually move to patch things before it's being exploited? And as we're seeing, it seems like there's evidence that it's being exploited pretty widely and there's already been data that's exfiltrated and possibly now looking at, you know, ransomware kind of campaigns.

So it's definitely bad news for for everybody involved. Yeah. And I mean, the scale of this is is interesting. I mean, many people may not realize.

I mean, at least, again, public sources are suggesting there's, like, twenty five hundred, maybe three thousand organizations, primarily in North America that have deployed progress move it, you know, publicly facing to the web using HTTP, which would leave them potentially sort of exploitable in the wild as a result of this this new VOM.

So so so that scale is is not small and, you know, based on what we've seen in the latest updates today, you're talking about you know, dozens of organizations that potentially have already been truly exploited in the wild and data's been exfiltraded.

To your point, I I think progress the company has done a pretty good job here. I mean, at the end of the day, it's a zero day. They didn't know that the vulnerability there. It got it got apparently sort of originally observed by Mandyan, I think on May twenty seventh, when they saw some unusual activity with an organization that had data being exfiltrated, sometime just a few days later on May thirty first is when progress disclosed it to their customer base.

And at that point, it really does become erase to see how fast the good guys can patch it versus how fast the bad guys can exploit it. Is that accurate? Hundred percent. And that's certainly seems like that's what's playing out right now.

You know, I think there's this challenge that I don't really know what what, you know, steps that progress takes in terms of how they build their software and scan it and test it and all those things. But I assume they're doing all the things that all of us are doing using all kinds of security tools for packet scanning and and testing.

But the challenge is you don't by the time you usually know about these things, they're already being exploited.

And so it does seem like once it was disclosed, they did react quickly, they made it public, they had a patch ready.

I would assume they patched their cloud version almost immediately, which is great news for anybody that's using their cloud software.

But when you have an on prem option, you have this additional challenge that now even having the patch alone isn't really a solution because you have to make sure that all those customers know that there's an issue, that they know that there's a patch And then based on customer, how fast can they actually get that patch deployed? We work with a number of enterprises and you and I just had a hashing out about one of a particularly large organization we work with. And they have their own processes for patching and getting software out that often can add delays. So by the time all that happens, you could still be several days where this vulnerability is being taken advantage of by, you know, threat actors and yeah, at this point it's all damage control.

I mean, it's it's it is basically the bad guys are probably going to win at least to some degree because by the time it's fast, they're already they've already been in and out. Yeah. The news story is gonna play out further in the coming days for sure.

But it does beg that interesting question, you know, about you know, the past world and the modern world. And and, you know, in the modern world, there's a lot of really good arguments to be sort of leveraging cloud infrastructure and SaaS software as much as possible. And from what you described earlier, it seems like one of the main benefits to to that is potentially just sort of reducing your attack surface if you will. And, you know, rather than configuring and implementing servers and software on prem that's publicly facing the Internet, you theoretically have an opportunity to kind of consolidate your attack surface by doing business with a SaaS vendor that has maybe a smaller attack surface and a, you know, perhaps some more sophisticated posture with respect to just managing risk and certainly managing their response time in in a situation like this where you are faced with a zero day disclosure. Is that reasonable?

Yeah. I think so. I mean, you're obviously, you are sort of putting trust in another vendor than to help manage your your teaser data, whatever the services that you might be leveraging.

But to your point, I think you know, you and I have been both doing the software for a long time, and I remember back in the when I was doing mostly on prem software, as we were transitioning to the cloud, a lot of the arguments we get from customers is, well, it's more secure because it's in my organization, my boundary.

But most of us have started digging into cloud, ask if that's really true, because the level of scrutiny, the level of testing, the level of certification, the level of skill and the layers involved in a cloud service, in my opinion, ramp the security and sort of the robustness up Yeah. Maybe a a a non obvious analogy but one that occurs to me after I live in Virginia. We just had an incident with a private plane flying over the the capital, right, and and having some concern about security, and then that plane eventually crashing.

And one thing that occurs to me is it's you know, on prem software is a lot like, you know, flying your own private plane versus a part cloud software would be like using United Airlines or Delta or American. It's not that they've never had a crash, but the number of times they've actually had a real impactful issue beyond delays and cancellations is really, really, really low throughout history versus the number of times you've seen private planes correct. Yeah. Pretty high comparatively.

And again, it's not obvious, but I think of on prem software and cloud software or SaaS delivery maybe in similar terms. Right. Yeah. I mean United Airlines pilots are professional, and they're for a reason, most people not working for airlines are probably amateur.

Yeah. Think about the number of checks, the number of tests that they have to run, all the pre flight checks, all the constant diagnostics, the government guidelines, the the pressure, like, it just there's so many other things that are happening there to make that a more robust and reliable and resilient service and safer. And I think you kinda see that in software. You know, I think it's really hard to say, twenty five hundred organizations really run software to the same degree as one company that that's their only focus.

Right. And that kind of, I mean, it brings us back to the original point, which is the folks at progress have been in business a long time and they have a number of legacy customers deploying, you know, arguably sort of legacy software in this on prem fashion. And when a zero day like this gets disclosed, it's challenging for them. I I I certainly feel for them.

I also think that it's important that customers who may be wrestling with this reality, kind of step back and ask themselves some really important questions like what could we do differently, or what do we go to do as a result of this? What have we learned from this experience? And how should we think about new and different ways to potentially share very large files in a very secure way that's perhaps less susceptible to this type of attack surface and exploit.

And to the extent that that's something that is going to be kind of reconciled by a lot of customers, you know, obviously, at Virtru, we have capabilities that would be worth considering as you kind of, like, go through that journey.

Quick thoughts from your perspective on that. Yeah. I think so. I mean, again, I I would second what you said Matt, but it does feel like progress is doing all the right things and responding in the right responsible transparent way and but, you know, if you're I think generally even outside of progress of merger, I still feel like generally if you have an on prem option and you're now considering a cloud option.

I would always argue for the cloud option. I think it's it's it's in every case, it's a company that only focuses on hosting that software and thinks every day, when I'm thinking about making it secure. I'm, you know, kind of responsible for operations and delivery of the software and the security of the software in my role, leading engineering and operations, and I wake up every day thinking about how to make the system more robust, more resilient, more secure.

Secure share being one of those offerings for large file transfers and This is definitely the kind of thing that keeps me up at night. So this is all we focus on.

I think it's definitely something that every customer that is relying on an on prem version should be considering like, is there a better alternative? Can somebody do this for me anymore?

A cheaper and faster and and maybe more robust than I can. Yeah. And so last comment before we wrap it up. So when it comes to virtual secure share, which is which is a secure file sharing service for large file that we offer in the marketplace.

Is there anything unique other than sort of its cloud architecture and cloud implementation? And how would you think about it, maybe describe it to someone that you know, any additional layers of protection or encryption that would be worth knowing as they kind of wrestle with the reality of the current situation that's playing out?

Yeah, I mean, I think a couple of things. First, just the fact that every object that is protected with the trust of data format is sort of a core, you know, open standard approach we have to wrapping and protecting content.

Every object is protected with its own unique set of keys.

That's one thing. So it does limit the blast radius to some degree The other thing being that the audit trail gives you great visibility into what is actually happening with the data you are sharing and can be fed into things like a splunk or another scene solution that gives you more visibility into, you know, tracking these events in real time.

And then I think the option that we offer for virtual private key store where customers can optionally also manage a private key and even integrate that with a hardware storage module, those additional could add even more sort of robustness to the overall end to end protection for that data. It doesn't eliminate all possible you know, attack vectors, obviously, and we've never make a claim that we can guarantee that you could never ever be hacked. I mean, that's no software vendor would ever say that's that's something they could ever guarantee.

But I think the way that we protect data, the number of options we give you for protecting the keys just creates more and more layers and more ways of like shrinking blast radius and making it more less likely that you're going to have these widespread data leakage challenges and where you can really isolate things and track it more in real time. Yeah. That's super helpful. Well, interesting times for sure will stay abreast as the events continue to unfold, but I appreciate you taking a few minutes today to chat. Thanks, Dana. Yeah. Thanks, Matt.