The U.S. State Department is offering a $10 million bounty related to information on the Clop ransomware gang, which is attributed to broad exploits of the MOVEit transfer vulnerabilities with victims that include federal agencies.
The Department of Energy confirmed data was impacted by an attack, and reports from CNN indicate a possible attack is being investigated against the Office of Personnel Management. The U.S. Department of Agriculture is also dealing with a third-party vendor data breach.
“The [DOE] takes cybersecurity and the responsibility to protect its data very seriously,” a spokesperson said in a statement to Cybersecurity Dive. “Upon learning that records from two DOE entities were compromised in the global cyberattack on the file sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure and notified [CISA]."
The agency has notified Congress and is working with law enforcement, CISA and the affected entities to investigate the incident and mitigate the impacts of the breach, according to the spokesperson. The FBI declined to comment.
Progress Software last week disclosed a third vulnerability in the MOVEit file transfer software, listed as CVE-2023-35708. The original zero day was first disclosed at the end of May. A spokesperson for Progress said there is no evidence CVE-2023-35708 has been publicly exploited.
Industry officials said they have seen widespread impacts from the attacks against the MOVEit vulnerabilities and are actively sharing new intelligence.
“We have seen the MOVEit vulnerability being exploited and leveraged by ransomware threat actors and this type of attack is a prevalent and common threat across sectors,” said Scott Algeier, executive director of the Food and Agriculture ISAC. “We continue to share intelligence and analysis on this and other threats among our membership, and at this time, we have no indication that the food and ag industry has been specifically targeted.”
A spokesperson for the USDA said: “A data breach did not occur to the USDA network. We estimate that fewer than 30 USDA employees may have been impacted through a third-party vendor data breach. The few employees whose data may have been affected are being contacted and provided support.” OPM did not immediately return requests for comment.
More victims are coming forward to detail their exposure to the MOVEit vulnerabilities. The vulnerabilities have hit nearly 90 organizations, according to Emsisoft Threat Analyst Brett Callow. Previously, Clop said it had several hundred victims.
Gen Digital, the parent company of Norton LifeLock, confirmed that it uses MOVEit for file transfers, but said it has remediated all known vulnerabilities in the system.
“We have confirmed there was no impact to our core IT systems and our services and that no customer or partner data was exposed,” a spokesperson for Gen said via email.
However some personal data — including names, company email addresses, employee ID numbers, home addresses and dates of birth — of Gen employees and contingent workers was accessed.
The company has notified the affected employees and data protection regulators.