US Agencies Are Latest Victims in Expanding MOVEit Hacking Spree
(Bloomberg) – About a week ago, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI issued a joint alert that a file transfer product called MOVEit contained a dangerous vulnerability that could allow hackers to steal data from affected systems.
This ad has not yet loaded, but your article continues below.
It turned out that the problem arose near the house. On Thursday, the agency – known as CISA for short – announced an update: The same flaw in MOVEit had been exploited to attack several US agencies.
CISA Director Jen Easterly said the agency is supporting departments affected by the MOVEit attack. She said that “as far as we know” the hackers are only stealing the information stored in the MOVEit service and that the intrusions are not being exploited to gain further access to other parts of the network.
CISA’s announcement was the latest confirmation of what many feared when the first MOVEit-related breaches emerged earlier this month — that a hacking attack could occur. Although Easterly did not identify the authorities involved, a contractor for a US national laboratory and a radioactive waste disposal site managed by the Department of Energy were among the victims, according to a person familiar with the matter.
This ad has not yet loaded, but your article continues below.
“When the DOE learned that data sets from two DOE companies had been compromised in the global cyberattack on file-sharing software MOVEit Transfer, the DOE took immediate action to prevent further exposure to the vulnerability,” said an agency spokesman.
Read more: Cyber Attack Hits US National Laboratory, Nuclear Waste Dump
Victims include Shell Plc, the Nova Scotia government, UK communications regulator Ofcom, Minnesota’s Department of Education and Dutch camping and leisure company Landal GreenParks.
IAG SA’s British Airways, Boots pharmacy chain and British Broadcasting Corp. informed employees that personal data may have been compromised following a breach against their payroll provider, Zellis.
This ad has not yet loaded, but your article continues below.
On Thursday, Progress Software Corp., the company behind MOVEit, said a third party had discovered another flaw in the software. As there is no patch for this yet – resulting in a so-called zero-day vulnerability – the company said it had separated the cloud service from MOVEit and asked customers to disable web traffic to their own MOVEit servers.
The Clop hacker group, which claims to be behind the attacks, initially said it had information on hundreds of companies. The flaw in MOVEit’s software allowed the hackers to steal files that companies and organizations had uploaded to it.
Like many other hacker groups, Clop steals data from companies and then threatens to publish it on their own dark web leak site unless they receive payment. Clop, also known as Cl0p, is the name of a ransomware variant, but is also sometimes used to describe the hacking group that uses it.
This ad has not yet loaded, but your article continues below.
READ ALSO: Hackers Trade Blackmail Tactics And Avoid The Police
The Russian-speaking group posted a message on its website giving victims until June 14 to begin ransom negotiations. The group did not appear to release any data on its website that day, but did list about a dozen alleged new victims, including a US university, insurance and manufacturing firms, banks, and investment and financial services firms.
MOVEit and other file transfer applications are designed to securely transfer sensitive information and meet corporate compliance requirements. Systems can be configured to comply with privacy regulations such as HIPPA that protect sensitive information.
“Your organization depends on the secure and reliable transmission of mission-critical sensitive data,” says a video on Progress’s website. “MOVEit can help.”
This ad has not yet loaded, but your article continues below.
The company began investigating the hack on the evening of May 28 after a call to customer support reported suspicious activity, according to a filing with the US Securities and Exchange Commission.
Investigators found a previous zero-day vulnerability in the software — one that the filing said could set the stage for “unauthorized escalated privileges and access to the customer’s underlying environment.” The company alerted customers and the SEC on May 30.
Progress has released a patch for this bug. Cybersecurity company Huntress helped the company uncover more issues that could be exploited by hackers and also released a patch for these vulnerabilities. “We have seen no indication that these newly discovered vulnerabilities have been exploited,” the company said on June 9.
However, on Thursday the company announced that a third party had found another zero-day, according to an update on Progress’s website. “We are currently testing the patch and will update customers shortly,” the company said.