'Several' US government agencies attacked through MOVEit flaw, CISA

'We are working urgently to understand impacts and ensure timely remediation'

Multiple US federal government agencies have been caught up in the slew of cyberattacks exploiting a flaw in MOVEit software, according to the US Cybersecurity and Infrastructure Security Agency (CISA).

Only one department has been identified so far, the US Department of Energy, which said it had taken immediate measures to halt the attack, but more were affected, according to CISA executive assistant director for cybersecurity Eric Goldstein.

Goldstein told CNN that CISA is "providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. We are working urgently to understand impacts and ensure timely remediation."

The Transportation Security Administration and the State Department have come forward to say they were not affected.

The degree of damage caused and the nature of data stolen in the attacks has not been made public. Likewise, it is not known yet whether the perpetrator is Clop, the Russian-speaking ransomware gang that has recently stolen information from several large businesses, organisations, schools, universities and government entities and threatened to publish it online.

CISA director Jen Easterly, sought to downplay fears that this was a repeat of the 2018 SolarWinds supply chain attack, which saw Russian actors embedded in US Government systems for several months. Easterly portrayed the attacks as being opportunist, designed for enrichment rather than espionage or state purposes. She said no military agencies had been attacked. She also said it was not clear whether the attacker was Clop or another gang exploiting the same flaw.

"We are not aware of Clop actors threatening to extort or release any data stolen from US government agencies," Easterly said in a briefing to reporters. "Although we are very concerned about this campaign and working on it with urgency, this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation's networks."

In the US, the Minnesota Department of Education, the University of Rochester in New York, 1st Source and First National Bankers Bank, Johns Hopkins University and the University System of Georgia (USG) have all had data stolen by Clop, which claims to have stolen data from hundreds of entities worldwide. Other victims include UK telecoms regulator Ofcom, the BBC, BA, Shell and the Government of Nova Scotia. Some of these organisations were attacked through their Zellis HR system; Zellis was another victim of Clop.

The gang had said it would start publishing stolen data on Wednesday if ransom payments were not forthcoming, although according to reports it has published few details so far.

Clop actors also said specifically on their darkweb site public agencies would be excluded from this action: "If you are a government, city or police service... we erased all your data."

Easterly said there was no evidence of any US federal agency data being published so far.

Clop has been exploiting a SQL injection flaw (CVE-2023-34362) in the widely-used MOVEit Transfer file transfer software by Progress Software. The flaw was patched on 31st May, but since then a proof-of-concept exploit has been developed by security researchers and further vulnerabilities have been discovered (CVE-2023-35036). These have also been patched.

It is not clear at this stage whether the gang, and possibly copycats, has been targeting specific entities, or adopting a scattergun approach to hit as many targets as possible, given the widespread use of MOVEit and the fact that admins can be slow to patch their systems. The gang has previously exploited flaws in Accellion File Transfer Appliance in 2020 and 2021, and Fortra/Linoma GoAnywhere servers earlier this year.

Commenting on the news, Amit Yoran, chairman and CEO of security firm Tenable said: "The Clop ransomware gang has focused on exploiting file transfer technologies for years and has had widespread success exploiting a known MOVEit flaw for weeks now. While we don't know the full extent of the attack on US government agencies, it's clear that even now many organisations still need to plug holes in their software applications to avoid becoming the next victim.

"Cybercriminals and nation states alike feast on known vulnerabilities and sloppy hygiene practices that leave organisations unnecessarily at risk. Unrelenting focus on identifying issues, prioritising them and remediating them makes a world of difference."