Vulnerability Management, Malware, Threat Management

MOVEit exploit used against ‘several’ federal government agencies

The CISA logo is seen hanging on a blue wall

“Several” government agencies fell victim to attackers exploiting a vulnerability in the MOVEit Transfer file transfer application that has plagued the public and private sectors since its disclosure in late May.

CNN quoted the U.S. Cybersecurity and Infrastructure Security Agency’s Executive Assistant Director for Cybersecurity Eric Goldstein, who said that the agency is “providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.” Goldstein said CISA was working to ensure timely remediation.

In a statement to MSNBC, CISA Director Jen Easterly said she was “confident” that there will not be “significant impacts” to federal agencies from the hacks because of the government’s defensive improvements with its partners. 

It was unclear if Easterly was referring to a June 13 CISA order in which federal agencies were mandated to harden their network edge and remote management devices, citing “recent threat campaigns” that have exploited improperly configured network devices.

First disclosed on May 31 by Progress Software, which makes the MOVEit Transfer app, security professionals urged organizations to quickly patch the vulnerability since the application is used by thousands of enterprises, including 1,700 software companies and 3.5 million developers.

The SQL injection vulnerability, which has since been patched by Progress Software, could lead to escalation of privileges. Additional, though less severe, vulnerabilities were discovered during an investigation of zero-day, which led to a second patch.

Days after first disclosure, Microsoft attributed exploits of the vulnerability to the Clop ransomware group. In addition to the U.S. government, other victims include Nova Scotia's government and British Airways employees, among others.

In a statement, a Department of Energy spokesperson confirmed two DOE entities were compromised in the attack.

“The U.S. Department of Energy (DOE) takes cybersecurity and the responsibility to protect its data very seriously. Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA)," the spokesperson said. "The department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”

News of the breach will almost certainly lead to scrutiny on Capitol Hill.

Reps. Mark Green, R, Tenn., chair of the House Homeland Security Committee and Andrew Garbarino, R-N.Y., chair of the cybersecurity subcommittee, said they had been in contact with CISA as it triages and provides incident response services to different agencies.

“We are pleased with the timeliness of CISA’s response to yet another significant cyber incident impacting a wide range of potential victims who use this popular software. The committee will continue to stay in close communication with CISA as we work to gather more information, including who is responsible and the full extent of the data impacted," Green and Garbarino said in a joint statement sent to SC Media. "This incident is another reminder of the importance of CISA’s commitment to its cybersecurity mission and the need to be appropriately equipped to carry out that mission.”

Eric Swalwell, of California, the ranking Democrat on the same subcommittee, said he has spoken with Easterly, who said that early reports indicate no systems or devices were encrypted.

“I am closely monitoring the cyber exploit of MOVEit, a file transfer program that is utilized by private companies and the federal government. I spoke this afternoon with CISA Director Jen Easterly who told me that exposures of federal networks and data appear to be minimal and do not pose a systemic or national security risk," Swalwell said. "Additionally, none of the attacks thus far are reported to be encryption-based, meaning networks and servers can still maintain full functionality without first having to pay a ransom."

Senior editor and reporter Derek B. Johnson contributed reporting to this story.

Stephen Weigand

Stephen Weigand is managing editor and production manager for SC Media. He has worked for news media in Washington, D.C., covering military and defense issues, as well as federal IT. He is based in the Seattle area.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.