Russian Clop criminals begin extorting MOVEit data-theft victims, with US government agencies also attacked
US government agencies are reportedly among the victims of the Russian hackers behind a mass hack that impacted some big name organisations.
CNN reported that an official at the US Cybersecurity and Infrastructure Security Agency (CISA) has said that it is providing support to “several federal agencies that have experienced intrusions affecting their MOVEit applications.”
This exploit also allowed the hackers to compromise a third-party firm called Zellis, which provides payroll services to a number of blue chip British firms including BBC, Boots and British Airways.
The hack resulted in the theft of personal details of more than 100,000 staff across those organisations.
Microsoft has previously believes the hackers behind the incident are “Lace Tempest”, the company’s designation for the group that operates the Clop (also written cl0p) ransomware extortion website.
The hackers are believed to be based in Russia and are Russian speaking.
The “Clop team” subsequently confirmed it was behind the hack, and that it would begin trying to extort money from compromised companies in due course, at which time their names would be posted on the Clop data leak site on 14th June if negotiations did not occur.
If an extortion demand is not paid, the threat actors warned they will begin leaking stolen data on 21 June.
Five of the listed companies, oil giant Shell, UnitedHealthcare Student Resources (UHSR), the University of Georgia (UGA) and University System of Georgia (USG), Heidelberger Druck, and Landal Greenparks, have since confirmed to BleepingComputer that they were impacted in varying degrees by the MOVEit attacks.
Other firms have also been listed on Clop’s data leak site including Putnam Investments, Zellis (which resulted in the BBC, Boots, and Aer Lingus, Ireland’s HSE compromise), the University of Rochester, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, BORN Ontario, Extreme Networks, and the American Board of Internal Medicine.
US Agencies
And now CNN has reported that the US Cybersecurity and Infrastructure Security Agency (CISA) is working with several US federal agencies had also been breached using the MOVEit zero-day vulnerability.
CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement on Thursday to CNN. “We are working urgently to understand impacts and ensure timely remediation.”
The Department of Energy is among multiple federal agencies breached, a department spokesperson confirmed to CNN.
The hacks have not had any “significant impacts” on federal civilian agencies, CNN quoted CISA Director Jen Easterly as telling reporters.
Easterly added that the hackers have been “largely opportunistic” in using the software flaw to break into networks.
Federal News Network meanwhile reported that two US Department of Energy (DoE) entities were also compromised, which is alleged to be the Energy Department’s Waste Isolation Pilot Plant and Oak Ridge Associated Universities.
Industry reaction
The ongoing situation associated with Clop’s MOVEit campaign has attracted feedback from industry experts.
“True to their word, the attackers have started to name their victims,” noted Jake Moore, global cyber security advisor at ESET. “With multiple companies targeted all across the globe and millions of lines of personal data potentially being exposed, this cyberattack is beginning to be even bigger than first expected.”
Jake Moore, ESET
“Without knowing the true extent of the extorted data it remains unknown as to what has been stolen or is at risk,” said Moore. “However, this is not a fair game as cybercriminals do not always play by the rules.”
“The supply chain can be worryingly vulnerable when not updated in a timely fashion and threat actors can often be extremely quick to take advantage of any found exploit,” said Moore. “It is therefore vital that all organisations who are yet to patch this vulnerability do so immediately as well as carry out a full vulnerability assessment.”
How did it happen?
Meanwhile Nick Rago, field CTO at Salt Security, provided some analysis and insight into the MOVEit vulnerability.
“It’s believed that CLOP Ransomware Gang exploited the vulnerability by uploading a web shell named LEMURLOOT,” said Rago. “They could then access the underlying database of MOVEit to execute arbitrary code remotely.”
“The CLOP group has been known since 2019, when it launched a large-scale spear-phishing campaign, using ransomware to steal and encrypt victim data and refuse to restore access until fully paid,” said Rago. “The group typically targets sizable corporations.”
“Given the severity of the vulnerability, MOVEit users should patch installations as soon as possible,” Rago advised. “Moreover, until the patch is applied, it is strongly recommended to disable HTTP/HTTPS access to the MOVEit servers to prevent any unauthorised access.”
“It is also a good reminder that many digital supply chains designed and deployed by organisations leverage third party open source or commercial software packages and applications,” said Rago. “Those third party software deployed in your environments are susceptible to the same attacks as in house developed applications, and they should be protected with the same edge and runtime security technologies as you would in house developed apps.”
Geo-political implications
Colin Little, security engineer at Centripetal touched upon the geo-political aspects of this attack, considering that the hackers are believed to be of Russian origin.
“Given the scope of this campaign along with the view of of the geo-political landscape at the time of it’s unfolding as well as the alleged nationality of the major affiliation behind the campaign, my opinion is this campaign signals a major escalation in the hostilities of ongoing cyber warfare,” said Centripetal’s Colin Little.
“What’s worse, I believe the impact of this campaign has a strong potential to trigger a chain reaction of continuing and major escalations of hostilities not only in cyber warfare, but the geo-political landscape as well,” Little added.
“Unlike other industry verticals classified as critical infrastructure, national governments such as the US federal government (and other national governments which have been breached in this campaign) may be permitted to deploy more offensive cyber resources than, say, a university or a hospital,” said Little.
Brazen move
Erich Kron, security awareness advocate at KnowBe4 added that if this attack on US federal agencies was one of the Clop affiliates, it is a very brazen move as it is likely to draw some serious attention from the federal government.
“Many cyber gangs, even those backed by nation-state players, try to avoid the focused attention of the US government and its allies,” said Kron.
“Some significant cybercrime groups have fallen after they have become a focused target of the government, and this sort of attack is likely to put them straight in the crosshairs of the response teams,” Kron said.
