Ordr Announces Integration with ServiceNow Vulnerability Response Read more here!

The 2023 Verizon Data Breach Investigations Report is out. Like most folks in the cybersecurity industry, we downloaded it and pored over the contents to see what was new and relevant and surprising. As always, there’s a lot of data that quantifies the issues we see everyday: ransomware attacks, social engineering, underlying factors, threat types, etc. For example, the summary of findings identified external actors as the top threat involved in 83% of breaches; said that human error plays a role in 74% of all breaches; and reported that 24% of attacks involve ransomware; and broke down credential theft, phishing, and exploitation of vulnerabilities as the three primary means of attack.

Digging Deeper

Then we gravitated toward findings specific to the industries that Ordr is focused on and that have embraced our technology as a part of their cybersecurity strategies.

  • In financial services and insurance, we learned that “basic web application attacks, miscellaneous errors, and system intrusion represent 77% of breaches,” and that financial gain was the motive in 97% of attacks on the industry.
  • In healthcare we learned that “system intrusion, basic web application attacks, and miscellaneous errors represent 68% of breaches,” and that financial gain was the motive in 98% of attacks on the industry.
  • In manufacturing we learned that “system intrusion, social engineering, [and] basic web application attacks represent 83% of breaches,” and that financial gain was the motive in 96% of attacks on the industry.

Similar results were reported down the line in accommodation and food services, education services, government, IT and so on. Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help. Each data point illuminates and confirms issues we all intuitively recognize as true.

“Threat actors want money, they are good at finding ways into networks where they aren’t welcome, and whether by their intent, neglect, or error, people inside of breached organizations are a reliable source of help.”

Then we started looking deeper. Our focus at Ordr is on protecting enterprises by securing the growing number of connected devices at work in enterprises across the globe, in every industry. These include categories like the Internet of Things (IoT), Internet of Medical Things (IoMT), Industrial Internet of Things (IIoT), Operational Technology (OT), and the many devices connecting to networks to perform new and exciting tasks in a variety of niche roles (XIoT).

A Threat to Health and Safety

The risks that unsecured devices present to the organizations that own them are well known, and the implications of attacks affecting them are troubling. In healthcare, for example, attacks may have financial motives, as the VDBIR says. But recent research by the Ponemon Institute found that cyberattacks on hospitals correlated to an increase in negative outcomes for patients in 57% of hospitals affected due to delays in performing needed tests and procedures. The problem is so severe that hospitals with no means of protecting the medical devices integral to the delivery of patient care are training staff in “code dark” response, which is the physical unplugging and disconnecting of at-risk systems.

The problem is so severe that hospitals with no means of protecting the medical devices are training staff in ‘code dark‘ response, which is the physical unplugging and disconnecting of at-risk systems.

The dangers associated with vulnerable IoT, IoMT, and OT devices, and the risks they pose to not only critical infrastructure but financial services, manufacturing, and smart cities, are so concerning to our economic and physical security that connected devices are a part of the White House’s National Cybersecurity Strategy, called out in “Strategic Objective 3.2: Drive the Development of Secure IoT Devices.” The FDA has also issued a mandate to ensure new devices entering the market are built to be secure. And over in the UK connected device security is called out as part of that country’s new National Health Services cybersecurity strategy.

Despite the real and troubling issues associated with IoT security, there is no mention of them in the 2023 VDBIR. And OT security is dismissed with the explanation that “we continue to see [a] very small numbers of incidents involving Operational Technology (OT), where the computers interface with heavy machinery and critical infrastructure,” in contrast to the volume of attacks on traditional IT systems.

Vector, Path, or Target

It is worth pointing out that even if IoT, IoMT, and OT are not the initial vector of attack, such systems may be the target of an attack, or used as a path of attack as threat actors, once inside a network, move laterally to their intended destination. It could also be that, because the VDBIR takes a broad and high-level view of the data they collect, the presence of IoT in the report is simply buried in the data. Or maybe it is not known that connected devices are involved. Our analysis following the discovery of devices connected and operating on customer networks shows that as many as 15% of those devices were unknown to IT security and management prior to deployment of Ordr. You can’t secure what you can’t see, and so an attack in which an unknown, vulnerable, and unsecured connected device was the primary vector would also be invisible to security analysts.

More likely is that attacks involving IoT, IoMT, or OT devices are probably too granular a detail to be called out specifically in any report based on broad security analysis. But that doesn’t mean the risk isn’t real, and that the potential effects of an attack involving connected devices are not dire. They are, and that is why we built the Ordr platform to see, know, and secure every device in any network.

Coauthors: Srinivas Loke, Gowri Sunder Ravi

Progress Software, which makes the MOVEit Transfer app, first disclosed a vulnerability for the MOVEit application on May 31st, 2023. The MOVEit application is a managed file transfer software produced by IPSwitch (acquired by Progress Software Corporation). It encrypts and uses secure FTP to transfer data with automation. MOVEit is used by thousands of enterprises, including 1700 software companies and 3.5 million developers. MOVEit is also used significantly within the healthcare industry, with HHS recently issuing an alert on this.

1. What Are The MOVEit Vulnerabilities?

CVE-2023-34362, with a CVSS score of 9. 8, is a critical SQL injection vulnerability affecting MOVEit Transfer and MOVEit Cloud. The vulnerability allows unauthenticated attackers to control a MOVEit installation completely, potentially leading to data alteration or theft, malicious software installation, and server configuration changes. The MOVEit Transfer versions affected are:

  • before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5),
  • and 2023.0.1 (15.0.1)

Following this disclosure, two additional vulnerabilities were disclosed for a total of three to date:

2. Has this vulnerability been exploited?

Exploits of the vulnerability have been discovered in the wild, and have been attributed to the Cl0p ransomware group (also known as FIN11 or Lace Tempest). It has been reported that attacks against this vulnerability were “zero-day attacks” and may have begun as early as May 27, 2023, before a patch was available or the vulnerability was publicly disclosed or discussed.

3. Recommendations by Progress Software

  • Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment
    • More specifically, modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until the patch can be applied.
  • Review, Delete, and Reset
      • Delete Unauthorized Files and User Accounts (Particularly looks for an event associated with human2.aspx)
      • Delete any instances of the human2: aspx (or any files with the human2 prefix) and .cmdline script files.
      • On the MOVEit Transfer server, look for any new files created in the C:\MOVEitTransfer\wwwroot\ directory.
      • On the MOVEit Transfer server, look for new files created in the C:\Windows\TEMP\[random]\ directory with a file extension of [.]cmdline
      • On the MOVEit Transfer server, look for new APP_WEB_[random].dll files created in the C:\Windows\Microsoft. NET\Framework64\[version]\Temporary ASP .NET Files\root\[random]\[random]\ directory:
      • Stop IIS (iisreset /stop)
      • Delete all APP_WEB_[random].dll files located in C:\Windows\Microsoft. NET\Framework64\[version]\Temporary ASP. NET Files\root\[random]\[random]\
      • Start IIS (iisreset /start). Note:The next time the web application is accessed, it will be rebuilt correctly. It is normal to have 1 APP_WEB_[random].dll file located in this directory.
  • Apply the Patch

4. How Ordr Can Help


Vulnerability mapping of impacted devices:

    • Ordr provides application mapping via its Software inventory Collector to detect MOVEit applications in the network and uses its Vulnerability Matching engine to identify whether the organization is impacted:
    • Using its Software Inventory Collector, Ordr provides visibility into all the apps installed on all enterprise or health system devices, workstations, and servers.
    • Ordr maintains a list of all the software packages installed on the endpoints with version numbers and a time stamp on when it was installed/last updated etc.,
    • Ordr vulnerability mapping engine assigns vulnerabilities based on the SW version collected from the endpoint. The installed application list is updated daily, and vulnerabilities are recalculated based on the new info.

graphic of device impacted by MOVEit

 Figure 1: Details of a device affected by this vulnerability   


Real-time detection of exploits using IDS, behavioral violation, and threat correlation:

  • Ordr has an IDS engine that can detect this specific vulnerability using analysis of packets transacting over the wire.
  • Ordr IDS signatures have been updated to detect exploits of the MOVEit vulnerability

IDS engine

Figure 2: Ordr IDS engine detecting the session to prohibited IPs associated with MOVEIt

Track communications to compromised IP/URLs:

  • In real-time, Ordr’s external IP/IOC tracks every communication to prohibited IP/URLs. Ordr uses a cloud-based threat intelligence platform where the list is continuously updated, and all communications are marked accordingly in the Ordr Security Threat Card.
  • Ordr scoured the internet to establish a list of MOVEit IPs/URLs and tracks all communications associated with this vulnerability with a “group” within the Ordr Traffic Analysis Tool outer ring. Ordr has named it “MOVEIT” in the classification analysis. All the lookups done using this method are retrospective in nature and map every communication to these IoCs.
  • Users can easily track and tag every device communicating with malicious IPs for remediation purposes.

traffic analysis

Figure 3: Traffic analysis based on communication to IPs associated with groups exploiting MOVEit

Baseline communications to surface anomalies:

  • Ordr also provides the capability to baseline all the communications based on profile, location, business function, or any customized entity using our AI/ML techniques. Ordr can trigger anomalies based on any deviations observed for this traffic. Ordr recommends using our behavioral anomaly and threat detection capabilities to identify anomalies while performing any incident response or remediation.


Figure 4: Ordr Flow Genome to baseline and map communications for MOVEit

  • Ordr adjusts the risk score of the device based on the events detected for the device along with the asset criticality. For example, Ordr assigns a higher risk score for devices with vulnerability and exploits vs. devices only with vulnerability. All of the risk scores are normalized based on the criticality.


  • M1051  (ATT&CK) – Update Software
    • Patch immediately. Refer to the Progress Software Knowledge Base above and apply the fixed versions of MOVEit Transfer.
  • M1040 https://attack.mitre.org/mitigations/M1040(ATT&CK) – Behavior Protection on Endpoint – Rapid threat containment if a breach is detected.
    • Ordr tracks every device’s connectivity and keeps real-time data on where the device is connected to in the enterprise network – wired switch, wireless AP, VPN, and so on.
    • When an alarm of a breach comes into the SOC team, the Ordr platform provides a one-click action to immediately get the device isolated or segmented into a quarantine VLAN.
    • Ordr supports a variety of threat containment actions, as shown below: 

threat containment

Figure 5: Ordr Mitigation Actions For MOVEit

  • M1037(ATT&CK) Proactive firewall policies:
    • Disabling HTTP (port 80) and HTTPS traffic (port 443) to MOVEit Transfer in the interim is recommended to prevent exploitation.
    • Create a policy profile with all the MOVEit servers, then build a firewall policy to block ports 80 and 443 inbounds from an external address.
    • Ordr supports integration with multiple industry-leading firewall vendors. Below is a sample screenshot of one vendor. 

policy profile

device list

automatic FW policies

Figure 5: Create a policy profile for MOVEit servers and create policies on your firewalls (Check Point example)

  • M1030(ATT&CK) – Network Segmentation:
    • Ordr’s segmentation policies can protect the mission-critical devices
    • Even if a breach happens,  mission-critical devices, for example, medical or devices in ER/OR, can be protected using Ordr policies. Only specific devices over certain protocols can communicate with these mission-critical devices.
    • Ordr supports integration with multiple industry-leading NAC vendors. 


Figure 6: Create Zero Trust segmentation policies automatically, pushed on your NAC (Cisco ISE example)


6.     Ordr Customer Updates

Ordr has prepared the following software configuration rules package (no software change required) and is working with customers on pushing them to their separate instances with utmost priority:

  1. Ordr Vulnerability Database to match against devices vulnerable to MOVEit.
  2. Ordr IDS engine to detect exploits related to MOVEit vulnerability.
  3. IoCs associated with MOVEit vulnerabilities are constantly updated and all the existing and new communications are mapped against these IoCs and are updated in the Ordr’s traffic analytics diagrams.
  4. All the indicators of compromise will be flagged on the Ordr’s security page and added to the alerts. Ordr constantly streams to the SOC/SIEM and sends emails to the admin if configured.

7.     Helpful Links



Northern Maine Medical Center. Fort Kent, Maine.

Fort Kent is a town of just over 4,000 residents abutting the Canadian border in rural Aroostook County, Maine. Fort Kent is famous for being the northernmost terminus of U.S. Route One, and infamous for its long, harsh winters. It is also home to Northern Maine Medical Center (NMMC), a 10-bed hospital that has seen services cut in an effort to lower operating costs.

Maine Public Radio recently reported from a public forum held in Fort Kent’s town hall after the hospital announced plans to close its maternity ward. Residents fear NMMC will soon close; and if it does it will be part of a growing trend. The American Hospital Association (AHA) says that 136 rural hospitals have closed since 2010, and according to a recent report by the Center for Healthcare Quality and Payment Reform (CHQPR), there are more than 600 hospitals across the country in danger of closing due to financial pressures. Of those, more than 200 are in immediate danger of shutting down. That means that hospital mergers and acquisitions (M&A) are likely to continue as a trend identified by Chief Healthcare Executive magazine, which reported there were more than 50 hospital M&As in 2022, with more expected this year.

The Good and Bad of Healthcare M&A

When larger hospitals acquire smaller–and especially rural–hospitals, it can have a positive effect on access to quality of care for the communities they serve. The AHA said that nearly 40% of hospitals added services after being acquired, and that operating efficiencies helped to lower costs by an average of 3.3% after an acquisition. But along with the benefits associated with healthcare M&As come security risks. Security Magazine reported that ransomware attacks on healthcare organizations have doubled since 2016, and because rural hospitals struggle with financial and staffing constraints, they are often more easily breached by threat actors.

In her testimony to the Senate Homeland Security & Government Affairs Committee during a hearing on cybersecurity threats to rural healthcare organizations, former North Country Hospital (Vermont) CIO/CISO Kate Pierce said, “[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.”

[An] alarming trend that escalated in 2022 was cyber attackers shifting focus to small and rural hospitals. While most larger health systems have implemented advanced cybersecurity hygiene to thwart attacks and are employing large cybersecurity teams with sophisticated defenses, small facilities continue to struggle.” — Kate Pierce, former CIO/CISO, North Country Hospital

The Lurking Threat of Acquired Risks

The dynamic nature of connected devices operating in a network complicates security and IT management issues. In healthcare, these challenges are magnified because patient safety is affected when operations are compromised. Some findings from our most recent Rise of the Machines, Enterprise of Things Adoption and Risk Report (keep your eyes peeled for our 2023 edition soon), show the dangers present when Internet of Things (IoT), Internet of Medical Things (IoMT), and operational technologies (OT) proliferate in a healthcare environment.:

  • 86% of IoT and IoMT deployments have 10 or more FDA recalls.
  • 15%-19% of connected devices run on obsolete/unsupported operating systems.
  • 10%-15% of devices connected to the network  are unknown or unauthorized.
Compromised Medical Devices put Patient Safety at Risk

When a larger hospital makes an acquisition, it takes on the legacy cyber risks that previously beset the smaller one, including the technology assets used to run the facility and support staff in delivering care. In the best cases, hospitals and other healthcare delivery organizations (HDOs) rely on connected medical devices that are likely vulnerable to cyberattack. And once a piece of medical equipment is put in service, it may end up running with obsolete or unsupported software for years, or new vulnerabilities may be revealed that cannot be patched quickly due to patient safety concerns.

Even when a large hospital with “advanced cybersecurity hygiene” takes over the IT and security operations of a smaller hospital, it can take time to assess and mitigate the risks associated with integrating the new organization’s IT estate. And if any of the acquired systems were compromised prior to acquisition, a lurking, undetected threat actor may be able to use the smaller hospital’s IT infrastructure as a kind of Trojan horse from which to move laterally into the new owner’s systems, much like when hotelier Marriott was breached after acquiring Starwood Hotels in 2014.

Mitigate M&A Cybersecurity Risks

With these challenges in mind, a best practice approach to cybersecurity during an M&A event involves three critical steps:

1. Discover every asset in the network

You can’t protect what you can’t see, and so the key to addressing legacy threats and vulnerabilities inherited through the acquisition of other organizations’ technology estates is to be able to discover and classify every asset. That includes all the connected devices in operation: IoMT, IoT, OT, and more. This comprehensive asset inventory may also be useful to determine duplicate systems and reduce redundancies as both organizations in the M&A consolidate their assets.

The Ordr platform performs device discovery and classification quickly, and then monitors communications and tracks changes in real-time. Ordr goes beyond mere visibility to deliver deep, granular, classification of every device, from make, model, serial number, and operating system details. It also provides vital context about where a device is connected and what other systems it is communicating with. Ordr addresses one of the most common M&A challenges of overlapping IP schemas when two organizations are combined. This challenge prevents teams from easily establishing a single view of both environments and can slow risk assessment and integration efforts.

2. Identify your attack surface

The next step is identifying and measuring the attack surface from these assets. This can include devices with vulnerabilities, devices running outdated operating systems, or those with weak passwords. By baselining devices and their communications patterns, you can determine behavior that is outside of norm, that may be an indication of a compromised device.

From a deep, granular foundation of visibility, Ordr gives a complete view of the connected device attack surface and communications in real-time. Ordr identifies which devices are vulnerable or acting in a risky manner, and assigns a risk score based on the device’s known, determinative operational parameters.

3. Implement M&A cybersecurity best practices

Once you know what devices and risks you are inheriting as part of the acquisition, you can begin to implement M&A cybersecurity best practices. The most basic M&A cybersecurity best practices may be segmentation between the two networks, until access and convergence is complete. You will also want to identify or document key risks that need to be mitigated and addressed during or post acquisition.

Ordr dynamically automates the creation and enforcement of security policies. This means that organizations using the Ordr platform can quickly block attacks, quarantine compromised devices, segment vulnerable devices, and accelerate Zero Trust projects to proactively improve security.

Cybersecurity Due Diligence

Identify Risks Before Hospital Acquisition

Because hospitals and HDOs are under constant risk of attack from threat actors who care nothing of the danger their actions present to patients—and, in fact, use that danger to their advantage when carrying out ransomware attacks—there is no grace period when acquiring a smaller organization. It is imperative that the acquiring hospital include cybersecurity when conducting their due diligence. The network must be inventoried, assessed, and protected as quickly as possible, and Ordr helps get that done even before a contract is signed.

Furthermore, we operate on a philosophy of continuous improvement, expanding our integrations, leveraging the most up-to-date threat intelligence, and building our library of millions of device profiles to ensure Ordr is the most comprehensive, single source of connected device truth available. Check out our M&A solution brief for more details on how we help with cybersecurity due diligence.