We're recently hit with MOVEit transfer zero day vulnerability. the Cl0p ransomware group has taken responsiblity and started demanding ransom and exposing files to the internet. Companies like Shell and even local organizations such as Prudential has owned up and taken a hit on the matter.
Proceed with heed - this article is a thought piece, my reflection on the matter and what I feel warrants a further debate/discussion which will have far reaching impact.
What is Zero Day?
A zero-day vulnerability refers to a software security flaw or weakness that is unknown to the software vendor or developer. The term "zero-day" signifies that the software vendor has had zero days to address or patch the vulnerability. Consequently, the vulnerability is unpatched and leaves the software exposed to potential exploitation by attackers.
Zero-day vulnerabilities are particularly concerning because they give attackers an advantage. Since the vulnerability is unknown, there are no available patches or security measures to defend against it. This gives malicious actors an opportunity to exploit the vulnerability for malicious purposes, such as gaining unauthorized access to systems, stealing data, or executing arbitrary code.
The discovery of a zero-day vulnerability often follows a particular timeline. First, the vulnerability exists, but it remains undiscovered by both the vendor and potential attackers. Once discovered by a party, it becomes a zero-day vulnerability. The discoverer may choose to notify the software vendor or developer, giving them an opportunity to create a patch or fix for the vulnerability. However, some zero-day vulnerabilities may also be sold on the black market or used by hackers without the vendor's knowledge, leaving users at risk until a patch is developed and distributed.
Zero-day vulnerabilities can exist in various types of software, including operating systems, web browsers, applications, or even firmware. Their discovery underscores the importance of responsible disclosure and prompt software updates to mitigate the risks associated with such vulnerabilities. Software vendors often encourage users to keep their systems up to date with the latest patches to protect against known and unknown vulnerabilities, including zero-days.
What is Ransomware?
Ransomware is a type of malicious software (malware) that encrypts a victim's files or locks their computer or mobile device, rendering them inaccessible or unusable until a ransom is paid to the attacker. It is a form of cyber extortion that aims to extort money from individuals, businesses, or organizations.
When a device is infected with ransomware, the malware encrypts important files or restricts access to the entire system, often displaying a message or notification explaining the situation to the victim. The message typically includes instructions on how to pay the ransom, usually in cryptocurrency such as Bitcoin, in exchange for a decryption key or the release of the affected system.
Ransomware attacks can occur through various means, including malicious email attachments, drive-by downloads from compromised websites, or exploiting vulnerabilities in software or operating systems. Attackers may also use social engineering techniques to deceive victims into unknowingly installing the malware.
Ransomware attacks can have severe consequences, as they can lead to significant data loss, financial losses, reputational damage, and operational disruptions for individuals, businesses, and even critical infrastructure. Paying the ransom does not guarantee that the attacker will provide the decryption key or unlock the affected systems, and it may also incentivize further attacks.
MOVEit aftermath
We're now seeing victims list being public bit by bit by Cl0p and organizations (some) are in complete surprise seeing their data held ransom (this is another issue, relating to cyber awareness, or even a fundamental issue of asset register).
I was thinking about what happened to MERCK [1], a shipping company that had recovered from a ransomware attack and had filed for an insurance claim. Long story short, insurer refused to pay, MERCK took them to court and got USD14b claims approved by the court.
Specifically to the case at hand now with MOVEit, some questions continue to bug me. And its a broader perspective of the situation.
- Softwares are imperfect. Most often, bugs are not discovered or found, but exist in any piece of software/firmware we use on daily basis. I call it the "undocumented feature" rather than a bug. So it begs the question - (a) is the software provider liaible for a zero day, provided the company is unaware or (b) even is aware but hasn't fixed due to any reason? (c) would this vary for a bespoke software vs off-the-shelf software?
- While softwares are shipped and then deployed to customer, it creates another level of thinking. (a) software installed by default with all default settings can be deemed as manufacturer warrantied? (b) what about software customised without any modification through configuration and settings?
- Would a software developer take responsibility when they use an open source library if a bug is found and exploited? Although displaying software licenses?
- When a software experiences a bug or being exploited, is there any exemptions which warrants exclusion of liability to the software developer? i.e. since its an unknown zero day (I know! I know! but I also stress that zero day can somewhat be known yet not revealed, i.e bug bounty).
These questions create a permutation of conditions which complicates the situation. All these leads me to an important set of questions, which is the breach itself.
- When an organization is breached with zero day and experiences losses, whose responsibility is it? The organization? The software provider?
- How would cyber insurers deal with such incidents? Who would they go after?
- At what point does the organization say, all due diligence has been completed and there is no further action that can be taken?
- We now know that act of war when it comes to cyber is no longer a culpable defense based on the MERCK case, what other situations would insurers walk away unscathed?
And my final question, as per Zurich [2] is that if cyber is becoming uninsurable, are we then giving free money to insurers for a non-existent comfort? Most cyber insurers have packages for crisis management and DFIR, but those services are something you dont need a cyber insurer for. What will you really get, when you're faced with a cyber crisis from your insurers?
I don't have any answers for these questions yet, but I am interested to know what you feel about it.
Reference
[1] https://www.fiercepharma.com/pharma/merck-entitled-14b-payout-cyberattack-case-after-judge-refutes-insurers-warlike-action-claim
[2] Cyber attacks set to become ‘uninsurable’, says Zurich chief. (2022). Retrieved 25 June 2023, from https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d