Exploits & Vulnerabilities
Insights on the MOVEit File Transfer Vulnerability
Ongoing developments on this topic will be added to this thread. We invite you to bookmark this page and check back.
There is a lot we don’t yet know about the multiple breaches across federal and municipal organisations this week by the Clop ransomware group, which marks one of the first major tests of the Biden administration’s National Cybersecurity Strategy announced earlier this year. What we do know is that uncertainty always gives cybercriminals an advantage.
A vulnerability in data transfer service MOVEit, widely used across government agencies, allowed the group to infiltrate agencies, including the Department of Energy and university systems in multiple states. Some officials spoke promptly to ensure that attacks were detected and mitigated, but others were less quick to declare a positive outcome. One of the greatest challenges of responding to a breach is understanding what an attacker has accomplished already if they are still active, and where they are moving next.
Meanwhile, a message from Clop on Wednesday claimed that the exfiltrated data from victims of this breach had been deleted. The phenomenon of threat actors working within certain limits is not new, but these claims should never be taken at face value. Although the impact of global ransomware campaigns – especially those from Russian-affiliated groups – has ebbed and flowed over the years, there has recently been an increase in significance.
To rapidly detect and respond to dynamic situations like this, organisations must fully understand their attack surface and cyber risk. Attempting to achieve this with numerous individual security elements increases the likelihood of gaps in awareness and delays in addressing critical issues. Demand in the marketplace has shifted to counteract this as organisations increasingly adopt single-platform solutions that combine extended detection and response, attack surface risk management, partner service integration, and AI technology to seamlessly secure data across all environments.
As federal agencies face growing challenges and unique risks, the collaboration between Trend and the committee members will contribute to their security efforts and facilitate global cybersecurity intelligence sharing.
The newly implemented National Cybersecurity Strategy is undergoing its first significant trial. Several federal entities, including departments within the U.S. Department of Energy (DOE), have fallen victim to cyber intrusions stemming from a zero-day vulnerability in the widely deployed file transfer service MOVEit. Early reports say the attack significantly affected Oak Ridge Associated Universities and DOE's Waste Isolation Pilot Plant, leading to substantial data losses. It's important to note that while these breaches didn't infiltrate the internal systems of the DOE, they did compromise agency data held at these sites.
The seriousness and potential repercussions of these intrusions have prompted the DOE to designate this situation as a "major incident." Personal data belonging to potentially tens of thousands of individuals, encompassing DOE employees and contractors, is at risk due to the breach.
The DOE quickly initiated a response to the cyberattacks, underscoring its dedication to cybersecurity and data protection, and commenced preventative measures against further exposure to this vulnerability. Additionally, the department notified the Cybersecurity and Infrastructure Security Agency (CISA) about the incident.
Considering the extensive deployment of MOVEit Transfer software, it's projected that many other agencies might suffer similar breaches. Confirming this, CISA's Executive Assistant Director for Cybersecurity, Eric Goldstein, stated that numerous federal entities have already been affected. Consequently, CISA is acting expeditiously to fully understand the extent of the breaches and ensure swift remedial measures.
The specific entities compromised remain undisclosed, but the breach is suspected to be the handiwork of a Russia-linked ransomware group known as "CL0P," which has taken credit for the MOVEit intrusions. However, CISA Director Jen Easterly describes the attacks as largely opportunistic rather than being precisely targeted.
The event serves as a stark reminder of the pressing need to modernise the federal government's cybersecurity apparatus to better enable agencies to avert, address, and recover from such breaches. State agencies, Johns Hopkins University, and Shell are also part of a growing roster of institutions impacted by the MOVEit breach.
Progress Software, the parent company of MOVEit, is taking active steps to remedy the vulnerability in an effort to curb the attack. This widespread impact of the cyberattacks underscores the relentless challenges confronting the country's cybersecurity infrastructure.
Trend Vision One customers benefit from attack surface risk management and XDR capabilities of the overall platform, fed by products such as Trend Micro Apex One, allowing existing customers to stay up to date on the latest information on these vulnerabilities. Leveraging the Risk Insights family of apps, customers can scan for and identify impacted assets and stay up to date on the latest mitigation steps, including how to use Trend products to detect and defend against exploitation.
A Trend customer advisory is here: https://success.trendmicro.com/solution/000293538
To learn more about Clop, visit Trend Micro Ransomware Spotlight: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop