In a concerning development, several US federal government agencies have fallen victim to a global cyberattack that exploits a vulnerability in widely used software, according to a statement from the US Cybersecurity and Infrastructure Security Agency (CISA). The agency's executive assistant director for cybersecurity, Eric Goldstein, stated that they are actively providing support to affected federal agencies regarding their compromised MOVEit applications. CISA is urgently working to assess the impact and facilitate timely remediation.
Although the specific hacking group responsible for the breach is yet to be confirmed, there are suspicions that it could be a Russian-speaking ransomware group known for targeting numerous victims in previous hacking campaigns.
The affected agencies were prompt in denying any impact from the cyberattack, with both the Transportation Security Administration and the State Department asserting that they were not victims. CISA Director Jen Easterly expressed confidence on MSNBC that federal agencies would not experience significant disruptions due to the government's enhanced defensive measures.
Nonetheless, this cyberattack contributes to an expanding list of victims in an ongoing hacking campaign that began two weeks ago. Major US universities and state governments have already fallen prey to this hacking spree, intensifying pressure on federal officials to address the escalating ransomware attacks that have severely impeded schools, hospitals, and local governments across the nation.
Recently, Johns Hopkins University and its renowned health system acknowledged that sensitive personal and financial information, including health billing records, may have been compromised. In a similar vein, Georgia's state-wide university system, which includes the University of Georgia and other state colleges and universities, confirmed an ongoing investigation into the scale and severity of the breach.
The CLOP ransomware group, known for its Russian-speaking members, previously claimed responsibility for some of the attacks. Their targets have extended beyond universities, impacting employees at the BBC, British Airways, Shell, and state governments in Minnesota and Illinois, among others.
While the Russian hackers were the first to exploit the vulnerability, experts warn that other groups might now possess the necessary software code to conduct similar attacks. The CLOP group had initially set a deadline for victims to contact them regarding ransom payments. Afterward, they began listing additional alleged victims on their dark web extortion site. However, as of the latest update, no US federal agencies were listed. The hackers even reassured government entities by stating that they had erased all their data and had no intention of exposing such information.
The CLOP ransomware group is part of a larger collection of gangs primarily based in Eastern Europe and Russia, notorious for their focus on extracting significant sums of money from their victims.
This latest cyberattack highlights the extensive impact that a single software vulnerability can have when exploited by skilled criminals. The hackers, a well-known group that emerged in 2019, began exploiting a new flaw in MOVEit, a widely used file-transfer software, in late May. Their approach appeared opportunistic, targeting as many vulnerable organizations as possible and leaving them susceptible to extortion.
Progress, the US company that owns MOVEit software, has advised victims to update their software packages and has issued security recommendations to mitigate the risks. Tyler Sullivan, Senior Security Consultant, NetSPI provided insights on how a shift in security strategy implementation could help thwart this type of threat in the future:
"To slow third-party software vendor-based attacks, a paradigm shift is required, from standard perimeter-based networks to a Zero Trust architecture. Additionally, it’s critical for organizations to minimize the attack surface and reliance on the supply chain - this means decreasing the amount of third parties used and regularly auditing them for any security gaps.
There is not a single responsible party for the supply chain, it's down to the vendors, the repositories, the software consumers and the developers. The second half of 2023 should be when we see meaningful progress by all parties involved to control the supply chain and ensure it can be used in a secure way.”
###