CNN said the US Cybersecurity and Infrastructure Security Agency had informed it that it was providing aid to these agencies.
As iTWire reported on 6 June, the Cl0p ransomware group was claimed to have been carrying out attacks, using this vulnerability to gain access, from 27 May onwards.
The vulnerability was announced by the company that makes the software, Progress Software Corporation, on 31 May, according to a post from the Google-owned Mandiant security firm.
The TV outlet said the US Department of Energy was among those hit but a CISA spokesperson did not offer any comments when asked who was responsible and how many agencies had been affected.
In its latest advisory about mitigating the effects of the vulnerability, Progress said it would be wise to disable all HTTP and HTTPS traffic to the MOVEit Transfer environment. The vulnerability is yet to be given a CVE number.
Elaborating, the company said:
- "Modify firewall rules to deny HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443;
- "It is important to note that until HTTP and HTTPS traffic is enabled again:
- "Users will not be able to log on to the MOVEit Transfer web UI;
- "MOVEit Automation tasks that use the native MOVEit Transfer host will not work;
- "REST, Java and .NET APIs will not work; and
- "MOVEit Transfer add-in for Outlook will not work.
- "SFTP and FTP/s protocols will continue to work as normal."
And the advisory added: "As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/."
Commenting on the attacks, Robert Cattanach, a partner at international law firm Dorsey & Whitney, said: "Alarm bells that started in the UK private sector, then spread to the US, are now going off throughout the Federal Government after Russian cyber criminal group Cl0p boasted online that it had exploited vulnerabilities in MOVEit file transfer software to penetrate numerous organisations, most recently and significantly many agencies in the US Government.
"The hackers continue to add victims to their dark-web list of extortion victims, and as the full scope of the supply chain exposure continues to unfold exponentially, CISA is engaging in full-time damage control.
“The depth and scope of the compromise are already believed to be staggering, and making matters worse, the only thing known for certain is that the extent of the vulnerability still isn’t known.
"While some federal agencies (TSA and the US State Department) were quick to assert that their systems remain secure, it’s a sure bet that those agencies less fortunate are scrambling to assess the full impact of the hack on their systems before they offer any public assessment of the damage.”
“The latest round of revelations follows a now-familiar playbook: cyber criminals uncover a software flaw, exploit it surreptitiously to avoid drawing attention, then pounce quickly on unsuspecting victims to maximize leverage before software fixes are in place. What’s unique about this hack is the apparent ability of the attackers to move laterally among connected systems of different entities, allowing them access to companies that supposedly did not even employ the defective software, meaning that the MOVEit supply chain is only the beginning, rather than the end of the compromise.
While CISA has been increasingly focused on supply chain vulnerabilities in its contingency planning and regulatory initiatives, this latest round of expanding shockwaves is sure to add new impetus to those initiatives, and influence the ongoing debates between software developers and government cyber-policy experts about who should bear the ultimate responsibility for software that proves to be defective.”
