US government agencies struck by cyber attack, as Clop hackers likely exploited MOVEit software vulnerability

News reports have said that ‘several’ U.S. federal agencies have been affected in a global cyberattack that exploits a vulnerability in widely used software. Available details have not identified who carried out the hack of federal agencies and how many such agencies have been affected. 

However, a Forbes report identified that the Department of Energy was among the impacted agencies, a spokesperson informed the publication while noting “records from two DOE entities were compromised” as part of a wider attack on MOVEit file-sharing software.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement on Thursday to CNN, referring to the software impacted. “We are working urgently to understand impacts and ensure timely remediation.”

However, it was not immediately clear if the hackers responsible for breaching the federal agencies were a Russian-speaking ransomware group that has claimed credit for numerous other victims in the hacking campaign.

Jen Easterly, CISA director, told MSNBC on Thursday, that a software vulnerability was exploited in a cyberattack on ‘several’ federal government agencies. “It’s a software that federal agencies and companies across the world use. We put out an advisory about this last week. And we’re responding to it.” 

Without specifying which U.S. government agencies have been impacted by the attack, Easterly added, “Right now we’re focused specifically on those federal agencies that may be impacted and we’re working hand in hand with them to be able to mitigate that risk.” 

“We understand that there are businesses, though, around the world. It’s another ransomware actor known as Clop Ransomware, and they’re basically taking data and looking to extort it,” Easterly added. 

She also said that she was “confident” that there will not be “significant impacts” to federal agencies from the hacks because of the government’s defensive improvements. 

When asked if Russian ransomware could be behind the attack, Easterly said, “We’re tracking it as a criminal group” and “many of these criminal groups are located in places like Eastern Europe.”

CISA also published an alert that Progress Software has released a security advisory for a privilege escalation vulnerability in managed file transfer software MOVEit Transfer. “A cyber threat actor could exploit this vulnerability to take control of an affected system,” the agency identified.

The MOVEit Transfer advisory identifies that Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. “If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment,” it added.

To help prevent unauthorized access to the MOVEit Transfer environment, “we strongly recommend that you immediately apply the following mitigation measures until you are able to apply the June 15th patch (CVE Pending),” the advisory added. It also suggests disabling all HTTP and HTTPs traffic to the MOVEit Transfer environment and modifying firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443. 

As a workaround, “administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/.” Additionally, “As patches for supported MOVEit Transfer versions become available, links will be provided below. Supported versions are listed at the following link: https://community.progress.com/s/products/moveit/product-lifecycle.”

CISA urges users and organizations to review the MOVEit Transfer advisory, follow the mitigation steps, and apply the necessary updates when available.

A spokesperson for MOVEit told Forbes on Thursday the software has rolled out security patches in the wake of the attacks and is “engaged with federal law enforcement and other agencies.”

Forbes also reported that the Shell oil company, the BBC, British Airways, Johns Hopkins University, and the state of Minnesota say they were impacted by earlier attacks on MOVEit, in some cases due to attacks on their payroll company. Additionally, a Russian-speaking hacking group known as CLOP last week claimed credit for some of the hacks, which have also affected employees of the BBC, British Airways, oil giant Shell, and state governments in Minnesota and Illinois, among others. 

The Russian hackers were the first to exploit the vulnerability, but experts say other groups may now have access to software code needed to conduct attacks.

The latest cybersecurity incident targeting the U.S. critical infrastructure sector comes months after President Biden’s administration rolled out a new National Cybersecurity Strategy that aims to protect the nation’s critical infrastructure from ‘borderless’ cyber threats.

Commenting on the breaches of US federal government agencies, Amit Yoran, chairman and CEO at Tenable, wrote in an emailed statement that the Clop ransomware gang has focused on exploiting file transfer technologies for years and has had widespread success exploiting a known MOVEit flaw for weeks now. “While we don’t know the full extent of the attack on U.S. government agencies, it’s clear that even now many organizations still need to plug holes in their software applications to avoid becoming the next victim.”

“Cybercriminals and nation states alike feast on known vulnerabilities and sloppy hygiene practices that leave organizations unnecessarily at risk,” according to Yoran. “Unrelenting focus on identifying issues, prioritizing them, and remediating them makes a world of difference.”

Tom Marsland, vice president of technology at Cloud Range, wrote in an emailed statement that the latest attack on government agencies exploits two previously known vulnerabilities and had patches for (CVE-2023-34362 and CVE-2023-35036) released on May 31 and June 9. “Today, a third party publicly posted a new SQLi vulnerability. Progress, the company behind the vulnerable MOVEit Software, has published details on mitigating this new vulnerability on their website, including disabling HTTP and HTTPs traffic to the MOVEit environment while they work on a patch,” he added.

“Many agencies falling victim to attacks today, however, appear to be compromised due to the previously released vulnerabilities that had patches released on May 31 and June 9. This again goes to emphasize the importance of a robust vulnerability management and asset tracking system and highlights the gap in not having enough skilled professionals in the cybersecurity industry,” according to Marsland. “These vulnerabilities had already been identified and patches released, but were not remediated. This reiterates the need for a robust vulnerability management program and goes to highlight the importance of the basic fundamentals necessary in cybersecurity.”

“It’s believed that CLOP Ransomware Gang exploited the vulnerability by uploading a web shell named LEMURLOOT. They could then access the underlying database of MOVEit to execute arbitrary code remotely,” Nick Rago, field CTO at Salt Security, wrote in an emailed statement. “The CLOP group has been known since 2019, when it launched a large-scale spear-phishing campaign, using ransomware to steal and encrypt victim data and refuse to restore access until fully paid. The group typically targets sizable corporations.” 

Given the severity of the vulnerability, MOVEit users should patch installations as soon as possible, according to Rago. “Moreover, until the patch is applied, it is strongly recommended to disable HTTP/HTTPS access to the MOVEit servers to prevent any unauthorized access.”

“No one is immune to the growing threats that cybercriminals pose to individuals, communities, and our nation, so it comes as no surprise that bad actors pounced on the opportunity to take advantage of the critically serious MoveIT vulnerability that has already impacted businesses, hospitals, and educational institutions,” Darren Guccione, CEO and co-founder at Keeper Security, wrote in an emailed statement. “The severity and ramifications of this attack on multiple agencies within the US federal government remain to be seen but raise serious concerns about the potential compromise of sensitive information and data loss potentially impacting national security.” 

Last week, U.S. agencies identified in a joint cybersecurity advisory (CSA) that the CL0P ransomware gang is reportedly exploiting a previously unknown structured query language (SQL) injection vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer. Also known as TA505, the agencies have identified that, due to its speed and ease, the CL0P group has been able to exploit this vulnerability. Based on their past campaigns, the agencies expect to see widespread exploitation of unpatched software services in both private and public networks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.