The most damaging cyberattacks are not single, isolated events that cause a one-day data breach. They are pervasive, long-term threats that exploit flaws in your network architecture, like implicit trust. These types of attackers, which include advanced persistent threat (APT) groups like Salt Typhoon and Silk Typhoon and ransomware groups like Medusa, use patience to inflict long-term damage by stealing data and unleashing malware.  

A short-term solution or a one-day security training is not enough to protect enterprise networks from persistent attacks. The problem is the cloud architecture itself. Architectures that rely on implicit trust for east-west traffic, meaning that any user within the system can move laterally without being challenged by verification checks, leave the door open for attackers.  

Similarly, default egress policies that permit unrestricted outbound connections enable data exfiltration and command-and-control communications to go undetected. Organizations need security solutions that address the problem at the root with a zero-trust, security-first architecture

This blog explores a case study of these types of long-term attacks, the MOVEit attack of May 2023, and how a foundational architecture built on zero trust principles can prevent similar attacks.  

What You’ll Learn 

The Supply Chain Nightmare: Containing the MOVEit Fallout  

In May 2023, a popular managed file transfer (MFT) software was the victim of a massive supply chain attack targeting a zero-day vulnerability. The threat actor, a Russian-affiliated ransomware group known as Cl0p (or TA505), exploited a SQL injection vulnerability to gain access to the underlying databases of MOVEit servers, allowing them to steal vast quantities of sensitive data.  

The attack had a devastating ripple effect on MOVEit and its customers. Because MOVEit is used by organizations to transfer data to and from their partners and customers, a single compromised server often contained data from dozens or even hundreds of other entities.  

This incident is a prime example of the growing risk of breaches involving a third party, a category that doubled from 15% to 30% in the last year, as noted in the 2025 Verizon Data Breach Investigations Report.  

How CNSF Prevents Similar Attacks 

The MOVEit breach is exactly why Aviatrix developed Cloud Native Security Fabric (CNSF) for cloud environments. Organizations realized they needed better network controls, microsegmentation, and data movement visibility – capabilities that were difficult and expensive to implement in traditional data center architectures.  

Aviatrix’s CNSF doesn’t patch individual software vulnerabilities in applications. Instead, it helps contain the blast radius of this type of attack. Using zero trust architecture principles, CNSF segments networks so that a threat actor who has managed to infiltrate the system can't gain access beyond that segment or establish outbound connections for data exfiltration and command and control. 

Each network segment is governed by security policies. A MOVEit server would be placed in a network segment with a policy that this server can communicate only with specific, necessary systems and protocols—for example, receiving files via SFTP from a partner network and delivering them to a specific internal processing server.  

What Would Have Happened: CNSF Containment

When the Cl0p actors exploited the zero-day and compromised the MOVEit server, CNSF would have severely constrained their actions. Any attempt to use the compromised server as a beachhead to scan the internal network, connect to unrelated database servers, pivot to other critical workloads, or establish unauthorized outbound connections for data exfiltration and command-and-control would have been blocked by CNSF's segmentation and egress policies. The attackers would have been trapped within the small, isolated segment defined for the MOVEit application.  

A CNSF reduces a network-wide, disastrous breach into a contained incident. Attackers would not be able to spread through the system to cause damage. 

Breaking the Ransomware Business Model  

The lesson from the MOVEit breach can be generalized to the entire ransomware ecosystem. The business model of modern ransomware is almost entirely dependent on successful lateral movement and uncontrolled egress connections. A single encrypted laptop is a nuisance that can be resolved by reimaging the machine. An entire data center of encrypted servers, as in the MOVEit case, is a business-crippling event that forces executives into a position where paying a multi-million dollar ransom seems like a viable option.  

Adversaries know this. Mandiant's research shows that ransomware intrusions frequently begin with relatively simple initial access methods, such as brute-force attacks (password spraying) against exposed services like VPNs or RDP or the use of stolen credentials. The attacker's primary goal after this initial access is to spread as widely and as quickly as possible before deploying the encryption payload.  

A CNSF directly disrupts this business model by attacking its weakest link: the reliance on east-west traffic and uncontrolled egress connections.  

By enforcing a default-deny posture for all workload-to-workload communication, a CNSF neutralizes the ransomware's ability to spread through a system.  

  • The malware is contained at the point of entry.  

  • The malware is frozen after initial access, before causing enough damage to gain the kind of leverage ransomware needs to begin extortion.  

This containment dramatically reduces the potential damage of an attack and, in doing so, destroys the attacker's return on investment (ROI), making the target far less attractive.   

Final Thoughts

In a complex world of thousands of workloads, countless third-party software packages, and the constant threat of zero-day vulnerabilities, we can’t guarantee that every individual component will remain secure at all times. A realistic and resilient security strategy must assume that attackers will gain access somewhere. Even more recent attacks like those architected by the cybercriminal group Scattered Spider could be mitigated with very similar defenses. 

CNSF’s “blast radius containment” follows a core principle of zero trust: assume breach. It prevents attackers from spreading through a system and gives security teams notice traffic anomalies that indicate the massive data collection that signals data exfiltration is about to take place.  

Containment, segmentation, and egress security create a resilient security posture that acknowledges the reality of a cloud-first world: attackers are likely to get in – but you can prevent them from doing enough damage to make your organization tomorrow’s headline.   

John Qian
John Qian

Chief Information Security Officer

John is the Chief Information Security Officer at Aviatrix. Previously, John served as the Head of Security Architecture at Zoom, where he was responsible for overseeing the security posture of Zoom products and features, cloud environments, and sensitive IT applications. Over four years, his team developed one of the industry’s most mature security programs while effectively supporting Zoom’s dramatic business growth during the pandemic.

PODCAST

Altitude

subscribe now

Keep Up With the Latest From Aviatrix

Cta pattren Image