US Government discloses exploitation of MOVEit instances.
By Tim Nodar, CyberWire senior staff writer.
Jun 16, 2023

Cl0p exploits MOVEit vulnerabilities to hit US Government agencies.

US Government discloses exploitation of MOVEit instances.

CISA director Jen Easterly disclosed in a press briefing yesterday that several US government agencies were compromised by the Cl0p ransomware gang via the recently disclosed MOVEit file-transfer vulnerability, the Register reports. Easterly stated, “Since the vulnerability was disclosed, we have been working closely with Progress Software, with the FBI, and with our federal partners to understand prevalence within federal agencies. We are now providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.”

No ransom demands, yet.

Easterly added, “We are not aware of Clop actors threatening to extort, or release any data stolen from government agencies. Although we are very concerned about this, we're working on it with urgency. This is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation's network.” She noted that the threat actors are “only stealing information that is specifically stored on your file transfer application at the precise time that the intrusion occurred.”

US Department of Energy is affected.

The US Department of Energy is among the compromised agencies. A Department spokesperson told the Register, “Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified CISA.” Federal News Network says the two compromised DOE entities are Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico.

Industry reactions to Cl0p’s action against Government agencies.

Tom Marsland, VP of Technology at Cloud Range, offered the following observations:

"This latest attack on government agencies exploits two previously known vulnerabilities and had patches for (CVE-2023-34362 and CVE-2023-35036) released on May 31 and June 9. Today, a third party publicly posted a new SQLi vulnerability. Progress, the company behind the vulnerable MOVEit Software, has published details on mitigating this new vulnerability on their website, to include disabling HTTP and HTTPs traffic to the MOVEit environment while they work on a patch.

"Many agencies falling victim to attacks today, however, appear to be compromised due to the previously released vulnerabilities that had patches released on May 31 and June 9. This again goes to emphasize the importance of a robust vulnerability management and asset tracking system, and highlights the gap in not having enough skilled professionals in the cybersecurity industry. These vulnerabilities had already been identified and patches released, but were not remediated. This reiterates the need for a robust vulnerability management program and goes to highlight the importance of the basic fundamentals necessary in cybersecurity."

Colin Little, Security Engineer at Centripetal, sees the incidents, circumstantially, as an escalation in an ongoing hybrid war. “Given the scope of this campaign, along with the current view of the geopolitical landscape and the alleged nationality of the major affiliation behind the campaign, my opinion is that this campaign signals a major escalation in the hostilities of ongoing cyber warfare," Little wrote. “What's worse, I believe this campaign has the strong potential to trigger a chain reaction of continuing and major escalations of hostilities not only in cyber warfare, but the geopolitical landscape as well. Unlike other industry verticals, the US federal government and other governments worldwide that have been breached, may be permitted to deploy more offensive cyber resources than, say, a university or a hospital.”

Avishai Avivi, CISO at SafeBreach, offered some extensive advice to the expanding number of organizations and individuals who are affected by exploitation of this vulnerability:

 “In this latest set of breaches involving the MOVEIt managed file transfer, there are three familiar actors and one real victim, so let’s talk about each in turn.

"First, the Clop Ransomware group has found yet another vulnerability in a Managed File Transfer (MFT) system. The SQL Injection vulnerability in MOVEIt is different than the one Clop found in GoAnywhere (unsecured administrative interface), but both involve an unauthenticated user being able to leverage the vulnerability and gain privileged access to data stored on the servers. This is a playbook that works well for Clop – once they verified the vulnerability, they immediately started looking for additional systems to attack. It’s important to note that Clop doesn’t seem to care about the type of victim, as long as they can successfully breach them. They’ve attacked health organizations, financial organizations, utility companies, universities and even government agencies.

"Next, let’s consider the software vendor - Ipswitch. The vulnerability is rooted in an SQL injection when using the web interface of the MOVEIt software. Considering that Ipswitch promotes MOVEIt as a secure file transfer, I find it alarming that SQL injections are still not properly accounted for. The OWASP (Open Worldwide Application Security Project) lists SQL injections as the third top security risk in their industry-standard Top 10 Web Application Security Risks. This throws significant doubt on Ipswitch’s secure software development lifecycle (SSDLC).

"Third, let’s talk about the customers who used MOVEIt and were breached by Clop. While these customers are certainly the victims of a cyberattack, they do bear some of the responsibility. It’s wrong to assume that just because a piece of software claims to be ‘secure’ that it is in fact secure. Customers must always validate that the software they use is secure, and is configured in a way that can protect against cyberattacks. For example, It’s important to note that the MFT servers should only hang on to files for the minimal duration needed to transfer the files from one location to another. From the little information that’s currently available, it appears that Clop exfiltrated large amounts of data that was available on the servers themselves.

"The real victims in this latest set of breaches are the consumers whose information was included in the breach. If the Fortra GoAnywhere breach is any harbinger, we can expect that millions of individuals will be affected by this latest mass breach event.

"There are several important takeaways from this latest ransomware attack:

  • "Financially motivated threat actors do not care about what your company does. Just because they started with a bank, doesn’t mean they’ll spare you if you’re a healthcare company. You must assume that they will try to attack your organization as well.
  • "Just because a piece of software has the word secure as part of its marketing collateral, it doesn’t mean you can just install it and expect it to be secure. In this case, a simple Web Application Firewall would have potentially stopped Clop from being able to leverage the SQL injection vulnerability. You must validate your security control, especially considering the threat landscape.
  • "Companies must follow the secure-by-design principle that CISA is promoting. Sensitive data should not be allowed to linger in a location that is meant to be a temporary transfer system.”

VP of RiskLens James Graham thinks all organizations who might be affected should be on the qui-vive."Even though it is too early to truly know how the attacks unfolded or who is behind them, this latest string of attacks exploiting the MOVEit vulnerability should put all organizations on alert to review and prioritize protections against this and other attacks. To best understand where their exposure and risks lie, organizations who feel they may be affected should perform a quantitative cyber risk assessment, which lays out your potential losses in financial terms when faced with a similar attack."

Dror Liwer, co-founder of cybersecurity company Coro, sees the incidents as another argument for zero-trust. “When moving sensitive information, even using a so-called secure platform, a zero trust approach should be used. Any sensitive data either in movement or at rest must be encrypted. The benefit far outweighs the overhead.”

Erich Kron, security awareness advocate at KnowBe4, thinks the move was unusually brazen. “If this was one of the Clop affiliates, it is a very brazen move as it is likely to draw some serious attention from the federal government. Many cyber gangs, even those backed by nation-state players, try to avoid the focused attention of the U.S. government and its allies. Some significant cybercrime groups have fallen after they have become a focused target of the government, and this sort of attack is likely to put them straight in the crosshairs of the response teams.”

(Added, 10:00 PM ET, June 16th, 2023. Zach Capers, Senior Analyst at Capterra and Gartner, sees the incidents as an indication of the growing challenge of software supply chain security. "These latest exploits of the MOVEit Transfer vulnerability are further proof that software supply chain attacks are a growing concern for both federal agencies and private businesses,” Capers wrote. “The democratization of software development, rise of open-source software, and app sprawl prevalent at U.S. businesses magnifies the risk of a supply chain attack. As these types of attacks become increasingly advanced and destructive, we can expect more and more businesses will require attestation forms or SBOMs before purchasing a new software product." 

Willy Leichter, PV of Marketing at Cyware, also sees the incidents as instances of software supply-chain risk. “This is another frightening example of the risks of attack through supply chains. Our best defenses can be bypassed if we're relying on vulnerable software for critical tasks, such as transferring large data files. We must find ways to extend our security intelligence and best practices to suppliers to close this gaping hole.”

The number of affected organizations has exceeded early estimates Toby Lewis, Global Head of Threat Analysis at Darktrace, wrote, “When this was first disclosed, internet scanners assess that there were possibly over a 1000 exposed & vulnerable MoveIT servers globally, but with a natural emphasis in the US, UK and Western Europe. Some, like Zellis, will have performed their own investigations and got one step ahead – others will only start to come out of the woodwork when it’s clear they won’t be able to contain it any more – this includes organisations that end up being named and shamed on the Cl0p Darkweb website.” Lewis added that Cl0p had plenty of time to develop its campaign. “Unfortunately, this is a vulnerability and exploit that a threat actor had sole use of for potentially weeks before public disclosure. The nature of the affected software is that it is inherently directly connected to the internet and there are limited steps a defender could have taken.  I think we can expect a lot more organisations to come out, as the various timelines for disclosure by Cl0p come to an end.”

Coro;s Dror Liwer added some thoughts on the implications of “attack-as-a-service,” with respect to which he sees two troubling trends. “The ability to execute relatively sophisticated attacks with no deep technical knowledge, lowering the barrier to entry significantly, which results in many more threat actors, Liwer wrote. “A secondary trend is now that the barrier of entry has been lowered, and the attack cost has been commoditized, the ROI of attacks against mid-market and small organizations has improved greatly, leading attackers to target these much more vulnerable organizations, who do not have the same security stack or teams protecting them as the Fortune 500 do.”

Roy Akerman, Co-Founder & CEO of Rezonate, was struck by the speed with which the MOVEit vulnerabilities were actively exploited. “The MOVEit vulnerability was fast to turn from discovery to active exploitation in the field. Available proof of concepts of RCE exploitation increased the risk and organizations are called to take immediate action, in particular federal government agencies. Ransomware groups are known to adopt the latest infiltration techniques before patching is completed, especially when there are multiple patches that are rolling out as further details become available. We are closely monitoring for any further developments related to this SQL injection vulnerability that is actively exploited.”

From Drew Streib, Synopsys Software Integrity Group, believes the implications of the exploitation will be difficult for affected organizations to assess. “The vulnerability in MOVEit could have significant implications for anyone who was meaningfully using it and had their data breached. It can be equated to that of a corporate sanctioned box.com share, or sanctioned use of O365 file sharing outside of the organization –  it’s a big event but it’s difficult to quickly scope the impact of it on the affected organizations. Those that are impacted could have their workflows disrupted from a transient inability to use secure file sharing. This attack underscores the constant threat of cyberattacks to the public sector and the importance of moving swiftly and carefully to fix any software vulnerabilities.”)