File-transfer tools are a popular target for hackers, contributing to a 2023 trend of widespread hacks
This is starting to get a little too familiar for 2023: A company discovers a vulnerability in a popular piece of software or a tech tool. A hacking group looks poised to exploit it in a widespread way. Organizations begin to announce they’re among the victims.
This time around, a file-transfer tool known as MOVEit Transfer is at the center of everything. The ransomware gang in question appears to be Clop, a repeat player in this kind of story (some researchers are blaming the group, which is apparently also claiming credit). And the affected organizations whose information has been taken include the likes of British Airways, BBC, the government of Nova Scotia and a university in New York state.
As before, the main mystery going forward is how big the fallout will get. There’s reason, for now, to expect things will get worse before they get better.
“It still very much qualifies as an emergent threat,” Caitlin Condon, senior manager of security research at the cyber company Rapid7, told me.
On Tuesday, the alleged attackers began spelling out how they wanted victims to pay, telling victims that the hackers expected to receive an email from them over the next week, as Emsisoft’s Brett Callow relayed on Twitter:
The MOVEit vulnerability follows on some other noteworthy attacks with some parallels this year:
- Apparent cybercriminals exploited a flaw in VMware software in February to hit more than 3,000 organizations with low-level ransom demands. They targeted publicly facing servers that are often the first line of defense to compromise.
- Clop — there’s that name again! — hit big-name victims like Procter & Gamble via a (wait for it) popular file-transfer tool, Fortra’s GoAnywhere. The victim total was smaller, but it caused more trouble for those affected.
- April also brought a second somewhat-similar incident, but without the ransomware angle. Alleged North Korean hackers attacked voice-over IP software provider 3CX to go after its customers. The victim total is unknown, although it could have affected hundreds of thousands of businesses. A coordinated industry and government response appeared to curtail the damage before it got anywhere near that far.
Rapid7 and another cyber company, Mandiant, saw the first instances of compromise on May 27. That was four days before MOVEit maker Progress Software warned the public about the vulnerability.
So far, prominent companies affected include a number of U.K. organizations, via compromised payroll services provider Zellis. In North America, victims include the government of Nova Scotia and the University of Rochester.
A search engine for publicly exposed devices suggests that 2,500 instances are exposed to the internet, more than half of them in the United States.
Around a dozen federal agencies appear to have active U.S. government contracts that mention MOVEit.
Independent security researcher Kevin Beaumont mentioned possible government victims on Twitter:
Rapid7 has labeled it a “widespread” attack despite the uncertain victim count right now because of the many probable compromises, Condon said.
Condon explained what makes file-transfer tools juicy targets for hackers. (Clop notably went after them in the 2021 Accellion breach.)
- “They share sensitive information,” she said of such tools. “They’re common with large businesses who are often shipping sensitive data back and forth.”
- “It’s just a shortcut,” Condon said. “Why would you go through 10 steps to gain initial access to some environment and then pivot to another … active directory or whatever it is you’re targeting, to get data, when you can exploit a file-transfer application within hours or days to exfiltrate gigabytes and gigabytes of sensitive data and then back out?”
Another cyber company said it noticed something else interesting about the kind of attack the hackers used. The basic part is known as SQL injection, which involves putting malicious statements into an application to interfere with queries it makes to its database.
But Huntress said Monday that in the case of the MOVEit attack, SQL injection opens the door to potential remote code execution, allowing attackers to make changes to a target device no matter where it’s located. That’s “the crown jewel” allowing attackers to “own the access,” said Huntress’s senior security researcher John Hammond.
But it’s not clear why the attackers didn’t use that access to drop ransomware into victim networks, Hammond told me, although some ransomware gangs have been focusing more on stealing data to hold for ransom and skipping the encryption part because it’s faster and easier. Condon also told me the industry hasn’t seen the attackers move around inside victim systems, which decreases their chances of getting discovered.
Microsoft has attributed the MOVEit attacks to an affiliate of the ransomware gang known alternately as Clop or Cl0p. Google Cloud-owned Mandiant has not gone that far, attributing it to “a newly created threat cluster with unknown motivations” and saying it doesn’t yet have sufficient evidence to connect it to the Clop gang, which it also calls FIN11.
Clop itself — or, at least, someone pretending to represent Clop — has told news outlets that it is in fact behind the attacks, but won’t release data on military, government, children’s hospitals, police departments and “etc.” (Many ransomware groups have welshed on similar promises.)
One thing making it hard to quickly assess the number of victims is Clop’s history. After the GoAnywhere attacks, Clop waited more than a month to make ransom demands. More victims could also become public later when they come up on government deadlines for disclosing breaches, Condon said.
Some cyber industry veterans have given kudos to Progress for aspects of how it’s handled the situation, including quickly offering patches.
And the Cybersecurity and Infrastructure Security Agency has placed the MOVEit vulnerability on its so-called “must-patch” list for government agencies, giving them a June 23 deadline.
GOP demands meetings with disinformation researchers who are facing harassment
House Judiciary Chairman Jim Jordan (R-Ohio) and his congressional allies are demanding documents from and meetings with disinformation experts that have been frequent targets of right-wing activists, our colleagues Naomi Nix and Joseph Menn report.
The meetings are putting pressure on the group of academics. Jordan and his allies have accused them of colluding with U.S. officials to suppress conservative views.
- Jordan and other Republican committee members previously claimed that tech companies have worked with the government to suppress free speech and remove certain content on their platforms.
Naomi and Joseph write: “Jordan’s colleagues and staffers met Tuesday on Capitol Hill with … University of Washington professor Kate Starbird, two weeks after they interviewed Clemson University professors who also track online propaganda, according to people familiar with the events.”
“The pressure has forced some researchers to change their approach or step back, even as disinformation is rising ahead of the 2024 election,” they add. “As artificial intelligence makes deception easier and platforms relax their rules on political hoaxes, industry veterans say they fear that young scholars will avoid studying disinformation.”
- “The political part is intimidating — to have people with a lot of power in this world making false claims, false accusations about our work,” Starbird, who has significantly cut back on public engagement, told our colleagues.
E.U. mulling mandatory Huawei 5G ban
The European Union is weighing the possibility of banning member states from using companies deemed national security risks — like Chinese telecommunications giant Huawei — to help construct their 5G infrastructure, Javier Espinoza reports for Financial Times.
The United States and European allies claim the company poses a security threat and that Chinese officials could conduct espionage or disrupt networks. Huawei denies the allegations.
Espinoza writes: “Only a third of EU countries had banned Huawei from critical parts of the bloc’s 5G communications despite recommendations set out by Brussels to exclude high-risk vendors from technology investments, Thierry Breton, EU internal market commissioner, told the bloc’s telecoms ministers at a meeting last Friday.”
- “This is too few. And it exposes the union’s collective security,” Breton said. The bloc previously crafted unanimously-approved plans to screen such companies for security risks, but the plans fell short of a total ban. That would change if member states like Germany continued to delay in enacting a full ban, according to the report.
- Germany’s federal office for information security in April admitted to using communications equipment from Huawei, according to German-language newspaper Handelsblatt.
Huawei opposed the effort. “Assessing cyber security risks without sticking to technological standards … is a violation of the principles of fairness and non-discrimination, and also against the laws and regulations of the European Union and its member states,” a company representative told the Financial Times.
Report: Biden administration should be updating critical infrastructure governance documents
The successor group to the independent commission behind the creation of the Office of the National Cyber Director said the Biden administration’s cybersecurity approach “is not delivering the necessary improvements” to agencies responsible for steering the protection of critical infrastructure sectors and that it must be carefully overhauled.
The Cyberspace Solarium Commission (CSC) 2.0 in a report out this morning said the strategies around governing critical infrastructure protections have “become stale” and that the current system that designates critical infrastructure entities is “inadequate” including for risks that cross into several sectors.
- That can be changed with amendments to a decade-old policy priority, the commission said. The Biden administration signaled in November that it planned to revise the 2013 Presidential Policy Directive 21 (PPD-21). That outlined which agencies were responsible for steering protection of each of the 16 critical sectors, known as sector risk management agencies (SRMA).
PPD-21 has been “frozen in time now for eight years,” Mark Montgomery, CSC 2.0’s executive director, said in a call with reporters, adding that it should have been revised at the start of the Biden administration.
- The report recommends “targeted updates” to the directive as opposed to a wholesale rewriting process that risks “undercutting those relationships, structures, and processes that have effectively promoted public-private collaboration.”
- It also recommends identifying subsectors of critical infrastructure in areas like space systems, communications equipment and cloud computing to resolve confusion around what SRMAs have responsibility.
- It also asks to clarify CISA’s ability “to compel minimum security standards and to convene or require collaboration or engagement where appropriate.”
‘Night Fury’: documents detail DHS project to give ‘risk scores’ to social media users (Motherboard)
White House quiet on national cyber director choice, senator says (Axios)
Excel spreadsheet error leads Austrian party to announce wrong leader (Kelsey Ables)
Should software companies be held liable for security flaws? (Wall Street Journal)
North Korea hackers suspected in new $35 million crypto heist (CNN)
Prince Harry: I couldn’t trust anybody due to phone hacking (BBC News)
U.K. to remove Chinese-made surveillance equipment from sensitive government sites (Reuters)
Over 60,000 Android apps secretly installed adware for past six months (Bleeping Computer)
1Password launches its public passkey beta (The Verge)
DeSantis takes swing at Big Tech in New Florida privacy law (Bloomberg Law)
- Timothy Gallagher, former special agent in charge of the FBI’s Washington Cyber Division, joined global investigations firm Nardello & Co. as its chief security officer.
- FBI Deputy Director Paul Abbate delivers the keynote address at the Boston Conference on Cybersecurity at 9 a.m.
- The House Science Committee convenes a hearing on quantum technology at 10 a.m.
- The House Administration Committee holds a hearing on the role of the Election Assistance Commission at 10:15 a.m.
- Rep. Mike Gallagher (R-Wis.) and former Google CEO Eric Schmidt speak about AI and cybersecurity policy at the Foundation for Defense and Democracies at 12 p.m.
- The Senate Foreign Relations Committee holds a hearing on transatlantic approaches to China at 2:30 p.m.
- The Senate Rules Committee holds a hearing on the U.S. Election Assistance Commission at 3 p.m.
- The Institute of World Politics holds an online discussion on cyber intelligence at 6 p.m.
Thanks for reading. See you tomorrow.