And that’s not the only problem — while those hacks began in May, the company behind the software announced a new critical vulnerability just yesterday.
The CL0P ransomware group has been exploiting a zero-day vulnerability in third-party file transfer software MOVEit Transfer to steal data, including personally identifiable information (PII). The hackers appear to have begun using the vulnerability by May 27, per the Cybersecurity and Infrastructure Security Agency (CISA).
On June 14, CL0P started naming victims, and this past week has seen state, local and educational entities report breaches.
A new call to action emerged June 15, with MOVEit software creator Progress Software disclosing another critical vulnerability and the associated patch. Malicious actors could exploit this vulnerability to escalate their privileges and potentially gain unauthorized access to victims’ environments, per the company.
“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action … and apply the patch to address the June 15th” vulnerability, Progress Software said on its website.
Entities looking to understand and get a handle on the May 27 vulnerability can look to CISA and FBI’s joint advisory, released in early June. It details advice about detection methods and mitigations.
CL0P claims on its leak site that it has deleted data stolen from governments and police services, per TechCrunch. But many impacted entities are, understandably, issuing warnings about risks of identity theft.
WHO HAS BEEN HIT SO FAR?
Department of Energy: At least two Department of Energy (DOE) entities had their data breached due to the MOVEit exploit, per Federal News Network. This appears to have compromised PII on “potentially tens of thousands of individuals” such as employees and contractors.
One DOE victim was Oak Ridge Associated Universities, a not-for-profit that provides “scientific and technical solutions for the U.S. Department of Energy and other federal agencies.”
The other was the DOE’s Carlsbad, N.M.-based Waste Isolation Pilot Plant, the nation’s only site for disposing of radioactive waste “generated by atomic energy defense activities.”
The full scope of impact is still uncertain; roughly a dozen U.S. agencies have active contracts with MOVEit, per Politico.
Still, a senior administration official in the federal government said that the U.S. military and intelligence community appear unimpacted, and federal agencies had not received ransom demands or seen their data leaked by hackers.
An official said CISA believes agencies are now only using patched versions of MOVEit, per Federal News Network.
The Louisiana Office of Motor Vehicles (OMV) announced that all residents with state-issued driver’s licenses, ID or car registration have likely had their personal information breached by hackers. Exposed details include names, addresses, Social Security numbers, driver’s license numbers, vehicle registration information, handicap placard information, birth dates, heights and eye colors.
In a June 15 announcement, Louisiana OMV urged residents to guard their identities by freezing their credit, changing all passwords for online accounts, requesting identity protection PINs from the IRS to protect tax refunds, and registering with the Social Security Administration online to prevent fraudsters stealing their benefits.
“There is no indication at this time that cyber attackers who breached MOVEit have sold, used, shared or released the OMV data obtained from the MOVEit attack. The cyber attackers have not contacted state government,” OMV added.
The Oregon Department of Transportation (ODOT) has used MOVEit since 2015. On June 12, the ODOT confirmed that 3.5 million residents’ personal information was breached, some of it sensitive.
“We do not have the ability to identify if any specific individual’s data has been breached,” the departmentsaid. It advised everyone with an active state ID or driver's license to assume information on those documents was exposed. ODOT recommended residents take steps like viewing and monitoring their personal credit reports for signs of identity theft.
Public information officer for DMV and safety Michelle Godfrey told Government Technology that 20 percent of the compromised files impact people and that the state is prioritizing analyzing the risk those files pose. She said she could not disclose what the other 80 percent of files dealt with, out of concern that bad actors might take advantage of this information.
ODOT acted to secure its systems upon receiving a CISA security alert on June 1, but discovered that hackers accessed the system prior to this date. There were a few days during which data was exposed, Godfrey said.
No financial data appeared to have been breached.
“We’re still in response mode, still analyzing files and data to determine if there’s additional risks to Oregonians,” she said on June 16.
The Missouri Office of Administration — IT Services Division is in the midst of an investigation into potential impacts of the MOVEit hack as of June 13, and it said it will issue a public alert once it has identified the “entities, individuals or systems” likely impacted.
The Illinois Department of Innovation and Technology said it believes “a large number of individuals could be impacted” by the incident and is working to advise affected state agencies. It is currently investigating the extent of the impact and expects to provide a public notice and a call center to answer questions, once it has a full count of who is affected.
The Minnesota Department of Education said hackers accessed some information on thousands of children in foster care and some students. The breach exposed information on 95,000 children in foster care, as well as 124 students qualifying for pandemic electronic benefit transfer (P-EBT) services in the Perham School District. Also among the impacted were 29 students taking Postsecondary Enrollment Options (PSEO) courses at Hennepin Technical College and five students on a Minneapolis Public Schools bus route. Financial information was untouched, state officials said.
As of June 16, the state had had no communications with the hackers and was unaware of any data being leaked, Kevin Burns, communications director at the Minnesota Department of Education, told Government Technology.
The department learned of the compromise from Progress Software on May 31 and has adopted security remediations the vendor provided, among taking other security efforts, Burns said. That state has been frequently retesting MOVEit and other software for security weaknesses.
“We are more than two weeks past initial event, and this remains a high priority for us to pay attention to and make sure we don’t lose sight of continuing to monitor not only this system but all systems for potential vulnerabilities,” he said.
While several state agencies use MOVEit, the education department is the only one that appears impacted, Burns said.
Officials have been working to notify those impacted — but do not have contact information for children in foster care. They have sought other ways to raise awareness through steps like launching a website about the breach and publicizing the event through media.
“Even though absolutely no financial information was included in the breach of our files, we’re taking this very seriously and with a lot of thought and a lot of response to those who may be impacted,” Burns said. “We realize that a data breach can be very traumatic to individuals … we want to be very empathetic.”
The University System of Georgia said hackers had likely accessed data.
Johns Hopkins University and Johns Hopkins Health System also havesaid they’re investigating what data was compromised. They advised students, faculty, staff and departments to monitor financial accounts, update passwords, freeze credit and stay on guard for potential phishing messages.
THE BIG PICTURE
CISA Director Jen Easterly reportedly painted the MOVEit breaches as less severe than the SolarWinds compromise, whose December 2020 discovery threw a spotlight on software supply chain risk.
Easterly said that, in contrast, these new attacks were detected more rapidly and appeared less targeted.
“Based on discussions we have had with industry partners ... these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems or to steal specific high-value information — in sum, as we understand it, this attack is largely an opportunistic one,” Easterly said, per The Washington Post. “Although we are very concerned about this campaign and working on it with urgency, this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks."
Censys, an attack surface management platform, said in a June 13 blog that its scans found more than 1,400 Internet-connected servers running MOVEit software. Such figures do not reflect anything about whether those devices were vulnerable to the exploitation. Most of the MOVEit servers Censys found were associated with the financial sector with just 7.6 percent used by government and military. Most of the latter group — about 83 percent — were located in the U.S.