On the 15th, CNN broke the story of a “global cyberattack by Russian cybercriminals” (guys, we only need one “cyber” here) that exploited a vulnerability in file transfer software MOVEit. The breach affected numerous federal agencies as well as “several hundred” companies, per a senior CISA official.
According to Tech Crunch, a dozen or so US agencies have active MOVEit contracts, among them the Department of the Army, Air Force, and the FDA. AFR is reporting PwC and EY are among the affected, too.
The cybercrime group Cl0p first broke into the file service, which is called MOVEit, in late May and began stealing data from entities including US federal agencies, energy giant Shell and the BBC. Rival consultancy EY was also affected in the breach, which is growing larger by the day as companies reveal they have been targeted.
On Monday, PwC Australia confirmed it had used the software for a “limited number” of its clients, adding to its woes stemming from the Collins tax scandal.
“We are aware that MOVEit, a third-party transfer platform, has experienced a cybersecurity incident which has impacted hundreds of organisations including PwC,” a PwC spokesman said. He declined to comment on the ransom demand.
That spokesperson told AFR the firm stopped using MOVEit as soon as they were aware of the breach and spoke to clients whose files were exposed, along with opening an investigation. EY meanwhile:
A spokeswoman for EY said it learned of the breach on May 31, when an American firm called Progress, which makes MOVEit, confirmed the vulnerability in its software. “We immediately launched an investigation into our use of the tool and took urgent steps to safeguard any data,” the spokeswoman said. She also declined to comment on the ransom demand.
The EY spokeswoman said most of its systems that use the transfer service were not compromised but the firm was manually investigating where data may have been accessed and communicating with customers and authorities.
It seems the ransomware group is not interested in government data at all. “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information,” reads Cl0p’s dark web leak site according to CNN. We were not able to connect to the .onion to confirm (502 Bad Gateway), others seem to be having the same problem.
We were able to access today and read their totally cool message pic.twitter.com/3cuXqyp2Xr
— vx-underground (@vxunderground) June 16, 2023
It’s said the group gave non-government breach victims until last Wednesday to reach out and discuss ransom terms, after that Cl0p would publish names. So far they’ve listed Boston Globe, East Western Bank, biotech company Enzo Biochem, Microsoft-owned AI company Nuance, 1st Source, First National Bankers Bank, and Shell, among others.
A joint advisory issued by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) explains how exactly MOVEit was compromised:
According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software’s managed file transfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505 conducted zero-day-exploit-driven campaigns against Accellion File Transfer Appliance (FTA) devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.
A June 2020 info article by EY entitled Ransomware: to pay or not to pay? covers the issue extensively, ultimately advising readers not to pay up . “While we at EY do not suggest organizations pay ransoms, we do acknowledge this option exists,” it reads. “We have therefore created this concise guide on the subject with the caveat that organizations who are faced with this scenario should seek legal counsel, recommendations from any cyber insurance providers, input from law enforcement as well as expert security advice before making any final determination as to the appropriate course of action.”