MOVEit Attack Strikes US and State Governments
A global attack campaign fueled by a vulnerability in MOVEit Transfer, a popular file transfer application, has now struck the U.S. Department of Energy, several other U.S. agencies and a spate of state government organizations and educational institutions. The reach of these attacks has expanded rapidly over the last few days as attackers from the Clop ransomware group took advantage of the scaling power of flaws in the software supply chain.
“The Clop ransomware attack against the MOVEit file transfer system is another high-profile incident in increasingly damaging supply chain attacks,” said Michela Menting, senior research director, cybersecurity, at tech market advisory firm ABI Research. “The success of these attacks is enabled by the much greater reach of third-party enterprise applications; rather than targeting 20 different companies, the threat actors only need to target a common program used by all. Of particular interest, of course, are applications that either deal in data transfer/storage or those that are installed on end-user machines and allow for updates.”
On May 31, MOVEit’s developer Progress Software released a security advisory warning of a SQL injection flaw that could be exploited for remote code execution. Since then, security researchers have been digging into analysis and discovered evidence that the flaw has been exploitable as a zero-day attack in the wild—possibly for months or even years, according to one report from Kroll. Within a few days, Microsoft Threat Intelligence, via a Twitter thread, publicly attributed zero-day activity around MOVEit to a group it called Lace Tempest, synonymous with the Clop ransomware gang. Last week, Clop adversaries themselves claimed responsibility for the attacks to reporters from Bleeping Computer and said that they’d stolen data from hundreds of victims. Since then, advisories from other victims, as well as further claims from Clop, uncovered an even bigger swath of victims worldwide, including UK-based BBC, British Airways, Shell and Zellis, Netherlands-based Landal Greenparks, Swiss insurer OKK and U.S. institutions like First National Bankers Bank and Putnam Investments.
The last few days have seen a flurry of updates to this rapidly evolving situation on multiple fronts. First, Progress released another security advisory for an additional critical vulnerability in MOVEit that could lead to escalated privileges and unauthorized access. Second, even more government and educational institutions reported related attacks, including the U.S. DOE and ‘several’ federal agencies, the Louisiana Office of Motor Vehicles and Oregon Department of Transportation, University of Georgia and Johns Hopkins University.
“The severity and ramifications of this attack on multiple agencies within the U.S. federal government remain to be seen, but raise serious concerns about the potential compromise of sensitive information and data loss potentially impacting national security,” said Darren Guccione, CEO and co-founder of Keeper Security.
According to Andrew Barrat, vice president for consultancy at Coalfire, the impact on federal agencies from this attack campaign is yet another wake-up call that they need to embrace FedRAMP requirements and to get continuous monitoring capabilities in place.
“As cyberattacks can be executed in various ways—and sometimes with vague motives—it isn’t always clear if attacks are directly targeted or part of the broader wholesale ‘access for sale’ market,” he said. “The impact of this could be twofold; if this turns out to be nation-state activity, then reciprocal action may be taken and that could further heighten hostilities. However, if this is criminal activity, it’s important for the agencies concerned to look at how their systems could be monetized and start to take steps to monitor the outflow of data and dollars.”
Additionally, it’s a reminder to all organizations that securing the software supply chain isn’t just a matter of shoring up internal secure coding initiatives, said Nick Rago, field CTO for Salt Security.
“It is also a good reminder that many digital supply chains designed and deployed by organizations leverage third-party open source or commercial software packages and applications,” Rago said. “That third-party software deployed in your environments is susceptible to the same attacks as applications developed in-house, and they should be protected with the same edge and runtime security technologies as you would for apps developed in-house.”