A U.S. educational nonprofit has announced that nearly 900 schools using the organization’s services may have been affected by a recent data breach.

In a security issue update released this week, the National Student Clearinghouse revealed it is investigating a recent cybersecurity issue involving a vulnerability in one of The Clearinghouse’s third-party software tools, MOVEit Transfer, which has potentially affected thousands of other organizations worldwide. The cyberattack exploits a vulnerability in MOVEit, a widely-used third-party data transfer service used to send large files.

“While we continue to investigate this issue, all Clearinghouse services are fully operational,” the update stated.

According to their website, the Clearinghouse is an educational nonprofit that provides reporting, verification and research services to colleges and universities in North America with a network of 3,600 participating colleges and universities and 22,000 high schools.

“As cyber teams continue to address this spate of attacks, the news should serve as a wakeup call to every organization that this serious zero-day vulnerability must be remediated immediately,” said Darren Guccione, CEO and Co-Founder at Keeper Security. “However, as any organization grows and becomes a more appealing target, the quality and focus of these attacks will increase accordingly. All organizations should take a proactive approach to regularly update software and immediately patch vulnerabilities that are being actively exploited in the wild. Organizations must ensure they have a patch deployment process defined and written down, with emergency levers for critical vulnerabilities. When organizations have a clear plan, their teams can execute it accordingly.”

Filings show that on May 31, the Clearinghouse was informed by third-party software provider, Progress Software, of a cybersecurity issue involving the provider’s MOVEit Transfer solution. The organization has been working with leading cybersecurity experts to assess the impact of the MOVEit vulnerability on the Clearinghouse and their systems. In addition to applying the relevant security patches and following guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), the Clearinghouse also rebuilt the organization’s entire MOVEit environment.

“We also are coordinating with law enforcement,” the Clearinghouse said in the statement. “Based on our ongoing investigation, we have determined that an unauthorized party obtained certain files transferred through the Clearinghouse’s MOVEit environment, including files containing data that we maintain on behalf of some of our customers. We have notified the organizations whose data we have identified as affected by this issue. We have no evidence to suggest that the unauthorized party specifically targeted the Clearinghouse, our customers, or other organizations that provide data to the Clearinghouse.”

Security leaders weigh in

Colin Little, Security Engineer, Centripetal: 

Unfortunately, schools, and the professional organizations that serve them, will always be an attractive target for attackers due to their limited cyber expertise and budgets. Educational institutions can bolster their defenses against cyberattackszero like MOVEit by implementing a multifaceted cybersecurity strategy.

First, schools need to prioritize employee cybersecurity training to raise awareness about phishing threats and social engineering tactics. Strong password policies and multifactor authentication can enhance login security.

Second, regularly updating and patching software and systems is critical to addressing vulnerabilities.

Third, and most important, taking a proactive approach by implementing intelligence powered cybersecurity can help identify emerging threats and address potential weaknesses in their infrastructure.

By adopting these measures, education institutions can significantly reduce their vulnerability to MOVEit and similar cyberattacks in the future.

Darren Guccione, CEO and Co-Founder at Keeper Security:

Zero-day vulnerabilities are a significant cybersecurity risk that leave software open to exploitation which can lead to data theft, system compromise or other malicious activities. This SQL injection vulnerability in software designed to share sensitive data is just another example of the harm attackers can cause when they’re able to exploit these known vulnerabilities.

In this case, the attacker may be able to infer information about the structure and contents of a MOVEit Transfer database, or even alter or delete database elements.

Organizations that are the custodians of critical information require a much higher bar for security and monitoring than other types of organizations. Vendor selection, outsourcing, bringing in any third party products- all add layers of complexity to your defense strategy. Ensuring organizations select the correct vendors, via multiple facets including cost, functionality, usability, compatibility, and of course security, is becoming increasingly important. Does a vendor have the right certifications and do they have a proven track record? However, even making these seemingly right choices can lead to a breach. Unfortunately this is the reality we live in, and it is why "defense in depth" is an important pillar of cybersecurity.

The most effective method for minimizing sprawl when these attacks do occur is by investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will significantly limit a bad actor’s access.

Gareth Lindahl-Wise, CISO at Ontinue:

It is no coincidence that cyber criminals target widely used products as they operate on a strict effort versus reward basis. Market penetration is a guiding light for some groups - and remember that we may be looking at secondary consequences of original motives (an initial attack for targeted data theft is then exploited by downstream baddies for other objectives).

Any customers of a compromised provider should be considering containment (isolation, credential resets), prevention (update or switch off) and enhanced monitoring. For this particular incident, I would ensure any stored historic transferee files / folders are removed from the platform.

Supervisory and management platforms should feature towards the top of incident management scenarios due to the potential wide reach they can have. With a focus on the fundamentals again:

  • Do we know how to update (is that internal or needs a partner)?
  • Can we isolate? Do we know the impact to our operations would be if we did?
  • Do we have logs (are they enabled, can we access them, can we ask for them)?
  • Do we know what ‘unusual’ looks like and are we looking for it?

Colin Little, Security Engineer, Centripetal: 

Unfortunately, schools, and the professional organizations that serve them, will always be an attractive target for attackers due to their limited cyber expertise and budgets. Educational institutions can bolster their defenses against cyberattacks like MOVEit by implementing a multifaceted cybersecurity strategy.

First, schools need to prioritize employee cybersecurity training to raise awareness about phishing threats and social engineering tactics. Strong password policies and multifactor authentication can enhance login security.

Second, regularly updating and patching software and systems is critical to addressing vulnerabilities.

Third, and most important, taking a proactive approach by implementing intelligence powered cybersecurity can help identify emerging threats and address potential weaknesses in their infrastructure.

By adopting these measures, education institutions can significantly reduce their vulnerability to MOVEit and similar cyberattacks in the future.

John Bambenek, Principal Threat Hunter at Netenrich:

MOVEIt is an inherently internet-facing service that has an actively exploited vulnerability used by several threat groups. Ransomware is the obvious one because the end of the attack is informing the victim to get a ransom, however, anyone who wants to steal data can take advantage.

The vulnerability (and patch) have been known for four months. There is a long tail of figuring out if you had been victimized. For organizations still using a vulnerable version of MOVEIt, the most important thing they should do is fire the CISO because there is no excuse for not having remediated it by now.