SolarWinds & MOVEit: The Wake-Up Call for Modern Supply Chain Cybersecurity
Executive Summary
In recent years, a wave of major supply chain cyberattacks—most notably the SolarWinds compromise in 2020 and the MOVEit Transfer breach in 2023—have demonstrated how adversaries exploit trusted vendors to bypass defenses at scale. In the SolarWinds incident, attackers injected malicious code into the Orion software updates, leading to undetected access across 18,000 organizations, including government agencies and Fortune 500 companies. Just three years later, a zero-day vulnerability in MOVEit’s file transfer software enabled ransomware group Clop to exfiltrate and manipulate sensitive data from more than 2,000 global organizations, impacting over 62 million individuals. These incidents not only inflicted operational and reputational damage but also instigated regulatory and legal scrutiny, highlighting that even the most secure organizations remain vulnerable through third-party dependencies.
Supply chain attacks now pose an elevated risk as threat actors increasingly target software providers, managed service firms, and widely used platforms to maximize reach and disruption. Rising regulatory expectations on supply chain oversight, combined with new TTPs like supply chain ransomware and identity abuse, solidify supply chain risk as a top boardroom and CISO concern.
Why This Matters Now
With software dependencies growing exponentially and criminals increasingly targeting vendors, organizations face heightened risk of cascading breaches. Traditional third-party risk assessments are no longer sufficient; urgent adoption of real-time monitoring, threat intelligence, and proactive vendor controls is necessary to stem rapidly spreading supply chain threats.
Attack Path Analysis
Attackers gained initial access by compromising a third-party vendor or trusted supply chain partner, often via a software vulnerability such as a zero-day in transfer tools. They escalated privileges by leveraging trusted credentials or exploiting configuration weaknesses within the connected environment. The adversaries moved laterally across internal cloud environments and services, leveraging east-west connectivity to access a broader range of systems. Establishing command and control, attackers maintained persistent communication channels to orchestrate further activity and evade detection. Sensitive data was then exfiltrated through encrypted or covert outbound channels, targeting customer information, proprietary data, or backups. Finally, attackers caused impact either by encrypting or deleting data (ransomware/extortion) or leveraging the breach for further downstream attacks, resulting in operational disruption and reputational damage.
Kill Chain Progression
Initial Compromise
Description
Adversaries compromised a trusted third-party provider or injected malicious code into a software update pipeline, exploiting vulnerabilities such as unpatched software or weak vendor access controls.
Related CVEs
CVE-2023-34362
CVSS 9.8A SQL injection vulnerability in Progress MOVEit Transfer allows unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database, potentially leading to escalated privileges and unauthorized file access.
Affected Products:
Progress MOVEit Transfer – 2020.0.0 through 2020.1.6, 2021.0.0 through 2021.0.6, 2021.1.0 through 2021.1.4, 2022.0.0 through 2022.0.4, 2022.1.0 through 2022.1.5, 2023.0.0 through 2023.0.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Mapped MITRE ATT&CK techniques based on major supply chain attack vectors; list suitable for SEO/filtering and initial artifact enrichment.
Supply Chain Compromise
Valid Accounts
Exploit Public-Facing Application
Phishing
Compromise Client Software Binary
Ingress Tool Transfer
Exfiltration Over C2 Channel
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Maintain a Program to Monitor Service Providers’ PCI DSS Compliance Status
Control ID: 12.8.2
NYDFS 23 NYCRR 500 – Third-Party Service Provider Security Policy
Control ID: 500.11
DORA (Digital Operational Resilience Act) – ICT Third-Party Risk Management
Control ID: Article 28
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
CISA ZTMM 2.0 – Continuous Monitoring of Third-Party Relationships
Control ID: Supply Chain - Continuous Monitoring
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure to supply chain attacks through software dependencies, managed services, and third-party integrations requiring continuous zero trust segmentation and threat detection capabilities.
Financial Services
High-value targets for supply chain compromises via vendor data breaches and payment processing systems, demanding enhanced egress security and encrypted traffic monitoring solutions.
Health Care / Life Sciences
Vulnerable to ransomware extortion campaigns through medical equipment vendors and EHR systems, requiring HIPAA-compliant multicloud visibility and anomaly response capabilities.
Government Administration
Prime targets for nation-state supply chain attacks like SolarWinds, necessitating comprehensive east-west traffic security and inline intrusion prevention system deployment.
Sources
- How to Mitigate Supply Chain Attackshttps://www.recordedfuture.com/blog/supply-chain-attacksVerified
- CISA Adds One Known Exploited Vulnerability to Cataloghttps://www.cisa.gov/news-events/alerts/2023/06/02/cisa-adds-one-known-exploited-vulnerability-catalogVerified
- StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerabilityhttps://www.cisa.gov/sites/default/files/2023-06/aa23-158a-stopransomware-cl0p-ransomware-gang-exploits-moveit-vulnerability_2.pdfVerified
- NVD - CVE-2023-34362https://nvd.nist.gov/vuln/detail/CVE-2023-34362Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Enforcing Zero Trust segmentation, granular policy controls, robust egress filtering, and real-time threat detection across cloud and hybrid environments would have substantially limited the attacker's ability to move laterally, exfiltrate data, and cause widespread impact even after a supply chain compromise.
Control: Multicloud Visibility & Control
Mitigation: Real-time visibility would surface new vendor connections, anomalous changes, and risk exposures for faster incident containment.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation and enforced least-privilege policies would have limited privilege escalation by restricting vendor access to minimal required resources.
Control: East-West Traffic Security
Mitigation: Lateral movement is detected and constrained through workload-to-workload security controls and internal traffic inspection.
Control: Cloud Firewall (ACF)
Mitigation: Outbound egress filtering and real-time inspection disrupt C2 setup by blocking suspicious domains, IPs, and payloads.
Control: Egress Security & Policy Enforcement
Mitigation: Granular egress controls and destination filtering block unauthorized data exports and alert on suspicious outbound flows.
Anomaly and threat detection tools provide early warning and automated containment of destructive or ransomware-like behaviors.
Impact at a Glance
Affected Business Functions
- File Transfer Operations
- Data Management
- IT Infrastructure
Estimated downtime: 7 days
Estimated loss: $5,000,000
Potential exposure of sensitive files and data due to unauthorized access facilitated by the vulnerability.
Recommended Actions
Key Takeaways & Next Steps
- • Implement continuous visibility and dynamic risk monitoring across all cloud and vendor connections rather than relying on periodic audits.
- • Enforce Zero Trust segmentation and microsegmentation to limit lateral movement and contain threats to the smallest possible blast radius.
- • Mandate granular, identity-aware policy controls on both inbound and outbound (egress) network flows, including explicit allowlisting and intelligent filtering.
- • Integrate real-time threat detection and anomaly response to surface covert attacker activity—especially east-west and hybrid cloud movements—before exfiltration or impact occurs.
- • Conduct regular validation and simulation exercises to ensure supply chain exposures are mapped, controls are enforced, and incident playbooks are cloud-ready.
