US Department of Energy and its affiliates emerge as new victims of the MOVEit Transfer hack

Several US federal government agencies suffered cyber security incidents as a result of the Clop ransomware gang exploiting a zero-day vulnerability in the MOVEit Transfer web application provided by Progress Software.

In a statement shared with CNN, Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said that the agency along with the FBI is assisting several federal agencies that have been affected by the exploitation of the zero-day vulnerability in the MOVEit Transfer web application.

“We are working urgently to understand impacts and ensure timely remediation,” Director Easterly said.

The US Department of Energy’s spokesperson confirmed to CNN that it is one of the many federal agencies that have been affected by the global cyber security incident. The department said that as soon as it became aware of the incident, immediate steps were taken to mitigate the impact of the cyber attack.

“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson added.

The cyber security incident also impacted the department’s affiliates, such as the Oak Ridge Associated Universities and the department’s Waste Isolation Pilot Plant in New Mexico which disposes atomic energy waste.

The Clop ransomware gang gave a deadline of June 14 to the affected companies to get in touch with it to prevent the publication of their stolen data. Now that the deadline has expired, several organisations are coming forward to confirm that they have been affected by the exploitation of the MOVEit Transfer web application vulnerability.

CISA’s response comes after Progress Software, the developer of the MOVEit transfer application, said it identified a second vulnerability in the application and was working to fix the same.

“We have communicated with customers on the steps they need to take to further secure their environments and we have also taken MOVEit Cloud offline as we urgently work to patch the issue,” the company said in a statement.

CISA officials also told the media that apart from federal agencies, “several hundred” companies in the US have been affected by the cyber security incident. One of the affected organisations is Johns Hopkins University in Baltimore whose health system said that the sensitive personal data and financial information of individuals, including health and billing records, may have been compromised in the incident.

The ransomware group has already claimed responsibility for compromising several industry giants including the BBC, British Airways, oil giant Shell, and many government agencies in the US and the UK.

Commenting on the news, Nick Rago, Field CTO at Salt Security, said, “It’s believed that CLOP Ransomware Gang exploited the vulnerability by uploading a web shell named LEMURLOOT. They could then access the underlying database of MOVEit to execute arbitrary code remotely. 

“Given the severity of the vulnerability, MOVEit users should patch installations as soon as possible. Moreover, until the patch is applied, it is strongly recommended to disable HTTP/HTTPS access to the MOVEit servers to prevent any unauthorized access,” Rago added.