Russian Clop criminals begin extorting MOVEit data-theft victims, with US government agencies also attacked
US government agencies are reportedly among the victims of the Russian hackers behind a mass hack that impacted some big name organisations.
CNN reported that an official at the US Cybersecurity and Infrastructure Security Agency (CISA) has said that it is providing support to “several federal agencies that have experienced intrusions affecting their MOVEit applications.”
Earlier this month a mass hack was detected that compromised the MOVEit tool from Progress Software, which is used by businesses to securely transfer sensitive data.
This exploit also allowed the hackers to compromise a third-party firm called Zellis, which provides payroll services to a number of blue chip British firms including BBC, Boots and British Airways.
The hack resulted in the theft of personal details of more than 100,000 staff across those organisations.
Microsoft has previously believes the hackers behind the incident are “Lace Tempest”, the company’s designation for the group that operates the Clop (also written cl0p) ransomware extortion website.
The hackers are believed to be based in Russia and are Russian speaking.
The “Clop team” subsequently confirmed it was behind the hack, and that it would begin trying to extort money from compromised companies in due course, at which time their names would be posted on the Clop data leak site on 14th June if negotiations did not occur.
If an extortion demand is not paid, the threat actors warned they will begin leaking stolen data on 21 June.
Last week it was reported that British Airways, Boots and the BBC had received an ultimatum from Clop to begin ransom negotiations within the next week.
And this week the UK media regulator Ofcom confirmed it was also affected by the mass MOVEit hack by the Russian ransomware gang.
On Thursday Bleeping Computer reported that the Clop criminals have begun naming its victims.
Five of the listed companies, oil giant Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, and Landal Greenparks, have since confirmed to BleepingComputer that they were impacted in varying degrees by the MOVEit attacks.
Other firms have also been listed on Clop’s data leak site including Putnam Investments, Zellis (which resulted in the BBC, Boots, and Aer Lingus, Ireland’s HSE compromise), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, BORN Ontario, Extreme Networks, and the American Board of Internal Medicine.
And now CNN has reported that the US Cybersecurity and Infrastructure Security Agency (CISA) is working with several US federal agencies had also been breached using the MOVEit zero-day vulnerability.
CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement on Thursday to CNN. “We are working urgently to understand impacts and ensure timely remediation.”
The Department of Energy is among multiple federal agencies breached, a department spokesperson confirmed to CNN.
The hacks have not had any “significant impacts” on federal civilian agencies, CNN quoted CISA Director Jen Easterly as telling reporters.
Easterly added that the hackers have been “largely opportunistic” in using the software flaw to break into networks.
Federal News Network meanwhile reported that two US Department of Energy (DoE) entities were also compromised, which is alleged to be the Energy Department’s Waste Isolation Pilot Plant and Oak Ridge Associated Universities.
The ongoing situation associated with Clop’s MOVEit campaign has attracted feedback from industry experts.
“True to their word, the attackers have started to name their victims,” noted Jake Moore, global cyber security advisor at ESET. “With multiple companies targeted all across the globe and millions of lines of personal data potentially being exposed, this cyberattack is beginning to be even bigger than first expected.”
“Without knowing the true extent of the extorted data it remains unknown as to what has been stolen or is at risk,” said Moore. “However, this is not a fair game as cybercriminals do not always play by the rules.”
“The supply chain can be worryingly vulnerable when not updated in a timely fashion and threat actors can often be extremely quick to take advantage of any found exploit,” said Moore. “It is therefore vital that all organisations who are yet to patch this vulnerability do so immediately as well as carry out a full vulnerability assessment.”
How did it happen?
Meanwhile Nick Rago, field CTO at Salt Security, provided some analysis and insight into the MOVEit vulnerability.
“It’s believed that CLOP Ransomware Gang exploited the vulnerability by uploading a web shell named LEMURLOOT,” said Rago. “They could then access the underlying database of MOVEit to execute arbitrary code remotely.”
“The CLOP group has been known since 2019, when it launched a large-scale spear-phishing campaign, using ransomware to steal and encrypt victim data and refuse to restore access until fully paid,” said Rago. “The group typically targets sizable corporations.”
“Given the severity of the vulnerability, MOVEit users should patch installations as soon as possible,” Rago advised. “Moreover, until the patch is applied, it is strongly recommended to disable HTTP/HTTPS access to the MOVEit servers to prevent any unauthorised access.”
“It is also a good reminder that many digital supply chains designed and deployed by organisations leverage third party open source or commercial software packages and applications,” said Rago. “Those third party software deployed in your environments are susceptible to the same attacks as in house developed applications, and they should be protected with the same edge and runtime security technologies as you would in house developed apps.”
Colin Little, security engineer at Centripetal touched upon the geo-political aspects of this attack, considering that the hackers are believed to be of Russian origin.
It should be remembered that the cyberattack issue was raised during face-to-face talks between US President Joe Biden and Vladimir Putin in June 2021.
Biden and Putin spent much of that face-to-face meeting talking about cybersecurity issues, with Biden warning Putin of ‘retaliation’ and an ‘aggressive response’ if Russia attacks a list of 16 ‘critical’ industries in America.
Then in July 2021 President Biden underscored the issue of cyberattacks, when he admitted they could cause a ‘real shooting war’ with a ‘major power’.
Ever since 2011 the United States said it reserved the right to retaliate with military force against a cyberattack from a hostile state.
“Given the scope of this campaign along with the view of of the geo-political landscape at the time of it’s unfolding as well as the alleged nationality of the major affiliation behind the campaign, my opinion is this campaign signals a major escalation in the hostilities of ongoing cyber warfare,” said Centripetal’s Colin Little.
“What’s worse, I believe the impact of this campaign has a strong potential to trigger a chain reaction of continuing and major escalations of hostilities not only in cyber warfare, but the geo-political landscape as well,” Little added.
“Unlike other industry verticals classified as critical infrastructure, national governments such as the US federal government (and other national governments which have been breached in this campaign) may be permitted to deploy more offensive cyber resources than, say, a university or a hospital,” said Little.
Erich Kron, security awareness advocate at KnowBe4 added that if this attack on US federal agencies was one of the Clop affiliates, it is a very brazen move as it is likely to draw some serious attention from the federal government.
“Many cyber gangs, even those backed by nation-state players, try to avoid the focused attention of the US government and its allies,” said Kron.
“Some significant cybercrime groups have fallen after they have become a focused target of the government, and this sort of attack is likely to put them straight in the crosshairs of the response teams,” Kron said.