CISA director Jen Easterly revealed in a press briefing yesterday that multiple US government agencies were targeted and compromised by the Cl0p ransomware gang through the recently disclosed MOVEit file-transfer vulnerability. Easterly stated that since the vulnerability was made public, they have been collaborating closely with Progress Software, the FBI, and other federal partners to determine the extent of the issue within federal agencies. Easterly assured that support is now being provided to several federal agencies that have experienced intrusions affecting their MOVEit applications.
However, Easterly mentioned that as of now, no ransom demands have been made by the Cl0p actors and there has been no indication of any stolen government data being released. While there is concern regarding the situation, Easterly emphasized that this particular campaign does not pose a systemic risk to national security or the nation’s network, unlike the SolarWinds incident.
Among the compromised agencies is the US Department of Energy. A spokesperson from the Department confirmed that records from two DOE entities, Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico, were compromised in the cyberattack on the MOVEit file-sharing software. The Department took immediate measures to prevent further exposure and promptly notified CISA.
Various industry experts have shared their insights on Cl0p’s actions against government agencies. Tom Marsland, VP of Technology at Cloud Range, highlighted the importance of a robust vulnerability management and asset tracking system, pointing out that many agencies become victims of attacks due to previously known vulnerabilities that had patches available but were not remediated. Marsland emphasized the need for skilled professionals in the cybersecurity industry.
Colin Little, Security Engineer at Centripetal, viewed these incidents as an escalation in an ongoing hybrid war. He believed that this campaign could lead to major escalations not only in cyber warfare but also in the geopolitical landscape. Little highlighted that government entities breached in this campaign might be allowed to deploy more offensive cyber resources than other organizations.
Avishai Avivi, CISO at SafeBreach, provided extensive advice to the affected organizations and individuals. He highlighted the tactics used by the Clop ransomware group and the vulnerabilities in the MOVEit software. Avivi also emphasized the importance of validating the security of software and implementing secure configurations.
James Graham, VP of RiskLens, suggested that organizations potentially affected should conduct a quantitative cyber risk assessment to understand their exposure and prioritize protections against similar attacks. Dror Liwer, co-founder of Coro, stressed the use of a zero-trust approach when moving sensitive information and the encryption of sensitive data in motion or at rest.
Erich Kron, security awareness advocate at KnowBe4, regarded the Cl0p attack as a bold move that could draw significant attention from the federal government. Kron stated that cybercrime groups often try to avoid the focused attention of the US government and its allies to maintain their operations, and this attack could put them directly in the crosshairs of response teams.
Zach Capers, Senior Analyst at Capterra and Gartner, noted that these incidents highlight the growing challenge of software supply chain security. Capers emphasized the need for organizations to prioritize securing their software supply chains to prevent similar exploits in the future.
In conclusion, the disclosure of the Cl0p ransomware gang’s exploitation of the MOVEit file-transfer vulnerability to compromise US government agencies has raised concerns. The affected agencies, such as the US Department of Energy, are taking immediate measures to contain the impact. It is crucial for organizations to prioritize vulnerability management, implement secure configurations, and adopt a zero-trust approach to protect sensitive information. Additionally, the incident highlights the need for increased efforts to secure software supply chains to prevent future attacks.