A quick, anecdotal thumbnail sketch on the cybersecurity threat vectors for 2023: the APT and zero-day activity feel particularly ferocious right now. As a result, on June 1, 2023, we generated a quick, general update on Federal Deadlines for Updates to Known Exploited Vulnerabilities and Zero-days Patches in an effort to wrap our brains around the current volume, severity, and frequency of recent attacks and ransomware activity.
While we were preparing the update, the first news of what has become a significant cybersecurity incident – The Clop ransomware gang exploiting a new zero-day vulnerability affecting a popular file transfer tool used by thousands of major companies – crossed our desk. We included it in the update, including the initial advisory provided by the MOVEit transfer tool. See Progress Software Releases Security Advisory for MOVEit Transfer.
Fast on the heels of this post, the latest Progress Software advisories and the Joint Advisory from the FBI and CISA on the exploit will be provided as a standalone post, as a thorough update on the impact of the exploit to date – with mitigation recommendations. In the meantime, the bounty offered by the State Department is the lead story.
Advisory from @CISAgov, @FBI: https://t.co/jenKUZRZwt
Do you have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government?
Send us a tip. You could be eligible for a reward.#StopRansomware pic.twitter.com/fAAeBXgcWA— Rewards for Justice (@RFJ_USA) June 16, 2023
US puts $10M bounty on Clop as federal agencies confirm data compromises
Additional private sector companies have disclosed attacks after multiple vulnerabilities were found in MOVEit Transfer software
As reported by David Jones over at Cybersecurity Dive:
The U.S. State Department is offering a $10 million bounty related to information on the Clop ransomware gang, which is attributed to broad exploits of the MOVEit transfer vulnerabilities with victims that include federal agencies.
The Department of Energy confirmed data was impacted by an attack, and reports from CNN indicate a possible attack is being investigated against the Office of Personnel Management. The U.S. Department of Agriculture is also dealing with a third-party vendor data breach.
“The [DOE] takes cybersecurity and the responsibility to protect its data very seriously,” a spokesperson said in a statement to Cybersecurity Dive. “Upon learning that records from two DOE entities were compromised in the global cyberattack on the file sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure and notified [CISA].”
The agency has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate the impacts of the breach, according to the spokesperson. The FBI declined to comment.
“The vulnerabilities have hit nearly 90 organizations…”
Progress Software last week disclosed a third vulnerability in the MOVEit file transfer software, listed as CVE-2023-35708. The original zero-day was first disclosed at the end of May. A spokesperson for Progress said there is no evidence CVE-2023-35708 has been publicly exploited.
Industry officials said they have seen widespread impacts from the attacks against the MOVEit vulnerabilities and are actively sharing new intelligence.
“We have seen the MOVEit vulnerability being exploited and leveraged by ransomware threat actors and this type of attack is a prevalent and common threat across sectors,” said Scott Algeier, executive director of the Food and Agriculture ISAC. “We continue to share intelligence and analysis on this and other threats among our membership, and at this time, we have no indication that the food and ag industry has been specifically targeted.”
A spokesperson for the USDA said: “A data breach did not occur to the USDA network. We estimate that fewer than 30 USDA employees may have been impacted through a third-party vendor data breach. The few employees whose data may have been affected are being contacted and provided support.” OPM did not immediately return requests for comment.
More victims are coming forward to detail their exposure to the MOVEit vulnerabilities. The vulnerabilities have hit nearly 90 organizations, according to Emsisoft Threat Analyst Brett Callow. Previously, Clop said it had several hundred victims.
Gen Digital, the parent company of Norton LifeLock, confirmed that it uses MOVEit for file transfers, but said it has remediated all known vulnerabilities in the system.
“We have confirmed there was no impact to our core IT systems and our services and that no customer or partner data was exposed,” a spokesperson for Gen said via email.
However, some personal data — including names, company email addresses, employee ID numbers, home addresses, and dates of birth — of Gen employees and contingent workers was accessed.
The company has notified the affected employees and data protection regulators. (1)
Federal Deadlines for Updates to Known Exploited Vulnerabilities and Zero-days Patches
