How the MOVEit Vulnerability Impacts Federal Government Agencies

Across the globe, CL0P ransomware group is extorting hundreds of organizations — including federal government agencies — after exploiting a critical SQLi vulnerability in MOVEit Transfer, potentially leading to arbitrary remote code execution and unauthorized data access. New victims seem to emerge daily, with CL0P threatening to publish stolen data publicly if organizations don’t pay up.

Host Matt Radolec, David Gibson, and guest Dvir Sason held a special State of Cybercrime to discuss how the ransomware group exploited the critical flaw in the transfer application and why the threat to federal government agencies is so concerning.

MOVEit is front-page news.

New MOVEit victims are making headlines every day, with recent attacks against two large education institutions and two leading global energy companies. Because these energy providers offer equipment and services used by critical infrastructure and industrial control systems, their data could prove useful to many advanced adversaries.

“We’re talking about a very sophisticated type of exploitation and weaponization,” Dvir Sason.

To date, the data of millions has been stolen from hundreds of organizations, including information from federal and state agencies in Illinois, Louisiana, Minnesota, Missouri, and Oregon. According to the Federal Data Procurement System, about a dozen other U.S. civilian and DOD agencies have active MOVEit contracts.

CISA and the FBI published a joint cybersecurity advisory on the vulnerability and offer a $10M reward linking the ransomware gang to a foreign government.

Not exactly the new kids on the block.

The cybercriminal group behind this attack, CL0P, remained active in one form or another for almost a decade. Considered linked to FIN11 and TA505, the group is believed to have been around since 2014 and was responsible for the infamous Dridex banking Trojan. Adapting and evolving over the years, their financially-motivated attacks shifted to the deployment of ransomware in 2019 and, as seen in this case, extortion following the theft of data.

“The name CL0P is related to the ransomware they deploy when they compromise a victim, and the main objective is absolutely financial motivation — this is why they have the name “fin,”’ Dvir said.

“We’re talking about a very sophisticated type of exploitation and weaponization that usually is not something that a single person can carry out,” he added. “This is a very highly professional group that can study this vulnerability to fully automate it and attack servers from around the world.”

The exploit starts with collaboration.

Let’s imagine a scenario: the company you work for requires you to share documents with a third party. There are several ways to do this — via sharing links in OneDrive, a shared Google doc, etc. — but if you need to grant access at scale on a regular basis, an easier solution would be to share documents through a file-transfer program like MOVEit.

The problem is that these third-party solutions are usually exposed on the external boundaries of the organization, either via the cloud or on-prem, and this is what allows them to be vulnerable to exploits.

CL0P appears to have been waiting in the wings for a federal holiday (Memorial Day in the United States and a spring bank holiday in the U.K.) to mass exploit servers in the wild while those in charge of maintaining the servers were off work. As soon as the servers were compromised, CL0P could easily steal information and perform double extortion.

Once the attacks began, Progress Software (the company behind MOVEit) identified the vulnerability in its software and provided a patch in late May. However, not all organizations were aware of this and failed to patch their servers.

The fallout from paying extortion demands could quickly mount.

The notes CL0P left behind urged impacted organizations to contact them immediately to avoid stolen data being published. The note is meant to intimidate, Dvir said — meant to motivate victims to act quickly.

“We have a metaphor referring to ransomware groups,” he said. “We need to refer to them as seagulls.

“When you stand at the beach, and you’re holding a big sandwich, and there are seagulls waiting for you to take a bite, you can’t just feed them. You need to hold onto your sandwich because once you let them bite, they will just come back and eat your whole sandwich. In that sense, I would advise not to feed the seagulls — not to pay the ransom to these ransomware groups.”

“Friendly” CL0P promised not to expose government data.

In their ransom note, “friendly” CL0P wrote a postscript stating:

“If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

However, that doesn’t mean federal agencies should breathe easy.

“As long as there are lots of data that people rely on and that we depend on, there’s no reason to think that attackers won’t continue to try to exploit our dependence,” David said.

Matt added, “Whether they’ve deleted data or not, I’m unsure of; I have a feeling they are sharing that data to someone else.”

To combat the threat of cyberattacks, MOVEit recommends that you take immediate action to help protect your environment. Varonis can help secure federal agencies by:

• Helping identify privilege escalations 
• Enforcing a least privilege model 
• Monitoring and flagging suspicious activity (behavior-based threat models)
• Providing complimentary Proactive Incident Response 
• Automating responses to stop data exfiltration

Learn more

Hear the full discussion on our YouTube channel or Apple Podcasts to learn how the MOVEit vulnerability affects federal government agencies and what you can do to protect yourself. While you’re there, sign up to be notified of upcoming webcasts.