US Agencies Are Latest Victims in MOVEit Hacking Spree

(Bloomberg) -- About a week ago, the US Cybersecurity and Infrastructure Security Agency and the FBI sent out a joint advisory warning that a file-transfer product called MOVEit contained a dangerous flaw, one that could allow hackers to steal data from affected systems.

Most Read from Bloomberg

• Titanic Sub Search Chases Mystery Noises as Air Runs Low

• Modi Meets With Elon Musk and Ray Dalio as Global Money Flocks to India

• China Says Biden Calling Xi a Dictator Is ‘Provocation’

• Modi’s Yoga Mastery Shows Indian Democracy Is Just a Pose

• Short Bets on US Stocks Hit $1 Trillion, Most Since April 2022

It turned out the problem hit close to home. On Thursday, the agency — called CISA for short — provided an update: The very same flaw in MOVEit had been used to breach several US agencies.

CISA Director Jen Easterly said the agency is providing support to departments affected by the MOVEit attack. She said that “as far as we know” the hackers are only stealing information stored on the MOVEit service, and that the intrusions weren’t being leveraged to gain further access to other parts of networks.

CISA’s announcement was the latest confirmation of what many feared when the first MOVEit-related breaches were disclosed earlier this month — that it could turn into a hacking spree. Though Easterly didn’t name the affected agencies, a contractor at a US national lab and a radioactive waste storage site managed by the Department of Energy were among the victims, according to a person familiar with the matter.

“Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit transfer, DOE took immediate steps to prevent further exposure to the vulnerability,” an agency spokesperson said.

The list of victims includes Shell Plc, the government of Nova Scotia, the UK communications regulator Ofcom, the Minnesota Department of Education, and the Dutch campsite and recreation company Landal GreenParks.

IAG SA’s British Airways, the pharmacy chain Boots and the British Broadcasting Corp. told staff that personal information may have been compromised after a breach of their payroll provider, Zellis.

The hacking group that has claimed to be behind the attacks, called Clop, said initially that they had information on hundreds of companies. The flaw in MOVEit’s software allowed the hackers to steal files that companies and organizations had uploaded to it.

Like many other hacking groups, Clop steals data from companies and then threatens to release it on their own leak site on the dark web unless they receive a payment. Clop, which also goes by Cl0p, is the name of a ransomware variant but is sometimes used to describe the hacking group that uses it too.

Read More: Hackers Swap Extortion Tactics, Avoiding Police

The Russian-speaking group had posted a message on its site giving hacking victims until June 14 to start ransom negotiations. The group didn’t appear to publish any data on its site that day, though it listed about a dozen alleged new victims, including a US university, insurance and manufacturing firms, banks, and investment and financial services companies.

File transfer applications such as MOVEit, from Progress Software Corp., are designed to submit confidential information securely and fulfill corporate compliance requirements. The systems can be configured to comply with data privacy statues like HIPPA that protect confidential information.

“Your organization depends on transferring mission-critical sensitive data securely and reliably,” according to a video on Progress’s website. “MOVEit can help.”

The company first began investigating the hack on the evening of May 28 after a call to customer support flagged suspicious activity, according to a filing with the US Securities and Exchange Commission.

The investigators found a zero-day vulnerability in the software, meaning there wasn’t yet a patch to fix it. That flaw could set the stage for “unauthorized escalated privileges and access to the customer’s underlying environment,” according to the filing. The company alerted customers and the SEC on May 30.

Progress has issued a patch for that flaw. The cybersecurity firm Huntress helped the company uncover additional flaws that could avenues for hackers, and a patch was issued for those vulnerabilities as well. “We have not seen indications that these newly discovered vulnerabilities have been exploited,” the company said on June 9.

On Thursday, however, Progress announced that an unnamed third party had found another zero day, according to an update on the company’s website. At that time, there wasn’t a patch, leaving the software vulnerable to being exploited, so Progress disconnected MOVEit’s cloud service and urged customers to take down their own MOVEit servers.

By Friday, the company said it had patched the latest flaw in MOVEit cloud and was encouraging customers to apply the patch to their own MOVEit servers.

(Updates that company has patched latest zero day in last two paragraphs.)

Most Read from Bloomberg Businessweek

• Final Fantasy XVI Shows Off Square Enix’s Skill at Reinvention

• Nissan Takes the Long, Costly Road to Reusing EV Batteries

• Race-Based Affirmative Action Is Over. Corporate Diversity Could Be Next

• What the Reddit Revolt Means for Social Media in an AI Era

• It’s Brutal to Get to the Ocean’s Depths. This Minisub Will Take You There

©2023 Bloomberg L.P.