Federal Agencies Hacked, Clop Ransomware Gang Possible Culprit
Patches have been available for the MOVEit Transfer software vulnerability.
![Federal agencies systems hacked Federal agencies systems hacked](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltf8afd4cc96393c56/6523f560f72fd577c71c413f/System-Hacked.jpg?width=700&auto=webp&quality=80&disable=upscale)
Andrey_Popov/Shutterstock
Erich Kron, security awareness advocate at KnowBe4, said if this hack of federal agencies is by one of the Clop affiliates, it is a “very brazen move” as it is likely to draw some serious attention from the federal government.
“Many cyber gangs, even those backed by nation-state players, try to avoid the focused attention of the U.S. government and its allies,” he said. “Some significant cybercrime groups have fallen after they have become a focused target of the government, and this sort of attack is likely to put them straight in the crosshairs of the response teams.”
Darren Guccione, CEO and co-founder of Keeper Security, said no one is immune to the “growing threats that cybercriminals pose to individuals, communities and our nation.” So it comes as no surprise that bad actors pounced on the opportunity to take advantage of the critically serious MOVEit vulnerability that has already impacted businesses, hospitals and educational institutions.”
“The severity and ramifications of this attack on multiple agencies within the U.S. federal government remain to be seen, but raise serious concerns about the potential compromise of sensitive information and data loss potentially impacting national security,” he said. “As federal agencies and their hard-working cyber teams rush to address this spate of attacks, the news should serve as a clarion call to every organization that this serious zero-day vulnerability must be remediated immediately. All organizations must take a proactive approach to regularly update software and immediately patch vulnerabilities that are being actively exploited in the wild. The first step for administrators utilizing MFT should be to patch the vulnerability or take the service offline until it can be patched, especially now that the vulnerability is public knowledge. While not every attack can be prevented, steps can be taken to mitigate the access of cybercriminals and minimize impacts on systems, data and operations.”
Nick Rago, field CTO at Salt Security, said it’s believed that Clop exploited the vulnerability by uploading a web shell named LEMURLOOT. They could then access the underlying database of MOVEit to execute arbitrary code remotely.
“The Clop group has been known since 2019, when it launched a large-scale spearphishing campaign, using ransomware to steal and encrypt victim data and refuse to restore access until fully paid,” he said. “The group typically targets sizable corporations. Given the severity of the vulnerability, MOVEit users should patch installations as soon as possible. Moreover, until the patch is applied, it is strongly recommended to disable HTTP/HTTPS access to the MOVEit servers to prevent any unauthorized access.”
It’s also a good reminder that many digital supply chains designed and deployed by organizations leverage third-party open source or commercial software packages and applications, Rago said.
“The third-party software deployed in your environments is suspectible to the same attacks as in-house developed applications, and they should be protected with the same edge and runtime security technologies as you would in house-developed apps,” he said.
Andrew Barratt, vice president at Coalfire, said this breach demonstrates the further need for agencies to embrace the FedRAMP mandate, and ensure that they’re continuously monitoring their critical systems and vendors. FedRAMP enables the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations and allowing agencies to leverage security authorizations on a government-wide scale.
“As cyberattacks can be executed in various ways, sometimes with vague motives, it isn’t always clear if attacks are directly targeted or part of the broader wholesale ‘access for sale’ market,” he said. “The impact of this could be twofold, if this turns out to be nation-state activity then reciprocal action may be taken, further heightening hostilities. However, if this is criminal activity, it’s important for the agencies concerned to look at how their systems could be monetized and start to take steps to monitor the outflow of data and dollars.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said it’s no surprise that CISA is working with the organizations that follow their mandates to address the MOVEit exploits.
“While they have, understandably, not been open about how widespread the attacks have been on government organizations, or how much damage has resulted from the attacks, they are being proactive,” he said. “Fortunately patches already exist and indications of compromise (IoC) are easy to detect, though it’s apparent that not everyone deployed the patches in time. The attacks have been attributed to the Clop ransomware group, which is usually regarded as a cybercriminal group, but it’s entirely possible that there are geopolitical motivations behind this as well.”
As with any vulnerability that’s being exploited in the wild, vulnerable organizations should patch as soon as possible and deploy compensating controls immediately, Parkin said.
“On another level, even if an organization isn’t required to follow CISA guidance, it’s still a good idea to do so,” he said. “Their recommendations are sound and usually timely. Separately, with regard to file transfer systems, it may be worth considering additional levels of encryption for files at rest. Encrypted files remain secure even if they’re exfiltrated, reducing the damage from a breach if one occurs.”
RiskLens vice president James Graham said although it is too early to truly know how the attacks unfolded or who is behind them, this latest string of attacks exploiting the MOVEit vulnerability should put all organizations on alert to review and prioritize protections against this and other attacks.
“To best understand where their exposure and risks lie, organizations who feel they may be affected should perform a quantitative cyber risk assessment, which lays out your potential losses in financial terms when faced with a similar attack.”
RiskLens vice president James Graham said although it is too early to truly know how the attacks unfolded or who is behind them, this latest string of attacks exploiting the MOVEit vulnerability should put all organizations on alert to review and prioritize protections against this and other attacks.
“To best understand where their exposure and risks lie, organizations who feel they may be affected should perform a quantitative cyber risk assessment, which lays out your potential losses in financial terms when faced with a similar attack.”
Several U.S. government agencies have been hacked via a MOVEit Transfer software vulnerability. The hacks are part of a larger cyberattack.
According to CNN, the U.S. Cybersecurity and infrastructure Security Agency (CISA) is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.
Eric Goldstein, the agency’s executive assistant director for cybersecurity, told CNN that “we are working urgently to understand impacts and ensure timely remediation.”
Active Exploitation Attempts Discovered
Earlier this month, Huntress discovered active exploitation attempts against MOVEit Transfer. MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch, a subsidiary of Progress Software, that allows enterprises to securely transfer files between business partners and customers.
Last week, CISA and the FBI published a joint advisory about the Clop ransomware gang exploiting the MOVEit vulnerability to steal files stored on the server. It hasn’t been confirmed whether Clop is behind the attacks on federal agencies.
According to ReliaQuest, Clop has named 14 new organizations as its victims, bringing the total number to 27. Of the newly named organizations, 11 are from the United States and three are from Europe. The organizations listed are predominantly operating in financial services, followed by health care, pharmaceuticals and technology. The list of company names has been published on Clop’s dark-web data-leak site, although the group has removed one name. As of this update, ReliaQuest is not aware of any leaked data.
See our slideshow above for the full story on the attacks on federal agencies.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like