US government hit by Russia's Clop in MOVEit mass attack
CISA chief tells us exploitation 'largely opportunistic', not on same level of SolarWinds
The US Department of Energy and other federal bodies are among a growing list of organizations hit by Russians exploiting the MOVEit file-transfer vulnerability.
"Since the vulnerability was disclosed, we have been working closely with Progress Software, with the FBI, and with our federal partners to understand prevalence within federal agencies," Jen Easterly, director of the US government's Cybersecurity and Infrastructure Security Agency (CISA), told The Register and other media in a briefing on Thursday.
"We are now providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications," Easterly said.
Earlier this month, CISA and the FBI said the Russian ransomware gang Clop had exploited a security hole in MOVEit to steal documents from vulnerable networks. Although the crew began leaking victims' names yesterday, the extortionists seem to be keeping their promise to delete — and not publish — any stolen government data.
"We are not aware of Clop actors threatening to extort, or release any data stolen from government agencies," Easterly said. "Although we are very concerned about this, we're working on it with urgency. This is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation's network."
CISA officials declined to say which government agencies were compromised, but did say that no military branches were affected.
For those who need a reminder: Progress Software makes a suite of software called MOVEit that is used in industries from banking to healthcare to share and manage documents. An SQL-injection flaw within the code can be exploited to gain control of a vulnerable MOVEit deployment and steal data from that installation. This vulnerability has been widely abused by Clop to extract information from victims and hold that data to ransom: no payment, and the files get leaked online.
Many orgs, including the US government, have been hit via this flaw, with Clop blamed for this mass exploitation.
DOE confirms intrusion
The US Department of Energy on Thursday confirmed Clop had accessed its data as part of this widespread attack.
"Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified CISA," a DOE spokesperson told The Register.
"The department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach."
This is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation's network.
Easterly called the break-ins "opportunistic," as opposed to attempts to steal specific high-value information, and CISA officials said that the bulk of the attacks occurred in the days after Progress Software disclosed the bug in its file-transfer application.
"As far as we know, these actors are only stealing information that is specifically stored on your file transfer application at the precise time that the intrusion occurred," Easterly said.
"These intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific, high-value information. In sum, as we understand it, this attack is largely an opportunistic one."
That is to say: this appears to be criminals ransacking vulnerable corporate networks for anything useful they can find to make a quick buck, rather than carrying out long-planned espionage and the like.
Progress Software initially disclosed some info about the SQL-injection vulnerability in its multi-tool file-transfer product on May 31, and warned that exploitation "could lead to escalated privileges and potential unauthorized access to the environment."
A day later the vendor issued a patch for the bug, but by then the "mass exploitation and broad data theft" was already well underway.
To make matters even worse: last Friday security researchers uncovered more MOVEit vulnerabilities.
'No coordination with Moscow'
Clop has boasted that its miscreants exploited the MOVEit flaw and has demanded corporate victims pay a ransom, or else it will name them and leak whatever private info was exfiltrated.
While CISA and the FBI have blamed Clop for the intrusions, a senior CISA official said there's no evidence to suggest any coordination between Clop and the Kremlin in the MOVEit attacks.
The full scope of the attacks probably won't be known for weeks, at least, but several victims have come forward so far and alerted their customers, staff, and patients that their private data may have been stolen.
This includes government agencies — Minnesota Department of Education in the US, the UK's telco regulator Ofcom, and Canadian province Nova Scotia's health authority — as well as high-profile corporations like British Airways, the BBC, and the Boots pharmacy chain.
Johns Hopkins hit
Also today, Maryland's prestigious Johns Hopkins University and Johns Hopkins Health System said its data was compromised in the "widespread cybersecurity attack" targeting the MOVEit vulnerability.
In a letter sent to the "Johns Hopkins community" and shared with The Register, the American university's officials said they learned of an intrusion on May 31.
"This investigation is ongoing, but our initial evaluation shows the attack may have affected the information of Johns Hopkins employees, students, and/or patients, but did not include electronic health records," the letter stated. "We are working now to assess the full scope of the attack and will be reaching out directly to all impacted individuals as soon as possible."
Johns Hopkins declined to answer specific questions about the intrusion.
And Tesco Bank too?
Tesco Bank, a retail bank owned by the UK's largest supermarket chain, appears to have been caught up in the MOVEit attack. In an email to customers this week, the financial org said some of their personal information is now feared stolen:
"We want to make you aware that one of our print suppliers was recently affected by a data breach through their file transfer system. Unfortunately, as part of this cyber attack on our supplier, files containing your name, address and savings account number may have been accessed.
"While we understand this news may be unsettling, we want you to know there has been no direct breach of Tesco Bank systems, and this does not enable direct access to your savings account.
"We’ve been working closely with the supplier to investigate the incident. We've instructed our supplier to stop using the impacted file transfer system, and not to use it again until we’re satisfied it’s safe to do so."
Affected customers are set to get the usual 12 months of free Experian identity-theft monitoring in case their information is leaked and misused.
Clop victims under pressure
Clop – which had set a June 14 deadline for corporate victims to either pay up, or see their data leaked – has started naming organizations on its leak site, although we're told they have yet to post any stolen data. So far, 27 American and European organizations have been identified, according to ReliaQuest analysts.
"The organizations listed are predominantly operating in financial services, followed by healthcare, pharmaceuticals, and technology," the security shop said. "As of this update, we are not aware of any leaked data."
"Clop has so many 'business opportunities' — victims — it will take time to work down the list," ReliaQuest VP Rick Holland told The Register. "We are still in the early days of this campaign, and as more and more victims become public, organizations will face tough decisions. Do they pay the ransom? Do they risk sensitive data being leaked?"
- UK telco watchdog Ofcom, Minnesota Dept of Ed named as latest MOVEit victims
- Hold it – more vulnerabilities found in MOVEit file transfer software
- Clop ransomware crew sets June extortion deadline for MOVEit victims
- British Airways, Boots, BBC payroll data stolen in MOVEit supply-chain attack
This latest attack puts "an even larger target" on Clop for law enforcement and intelligence agencies, Holland added. "There are no doubt operations in flight to degrade and disrupt Clop's activities, and this latest MOVEit campaign highlights the urgency for these activities."
Oil and gas giant Shell is among the MOVEit victims: it said a "small number" of staff and customers used the tool, and that its IT systems were otherwise unaffected. Transport for London in the UK was also hit, with info on as many as 13,000 drivers potentially lifted by the intruders. US firm Putnam Investments, banks, university networks, and more are among those named on Clop's leak site. ®