British energy giant Shell, the Johns Hopkins University, the Johns Hopkins Health System and the University System of Georgia were also hit…reports Asian Lite News
Several federal government agencies have been hit in a global hacking campaign that exploited a vulnerability in widely used file-transfer software, the nation’s cyber watchdog agency said on Thursday.
The statement by the Cybersecurity and Infrastructure Security Agency (CISA) added to a growing list of entities in the US, UK and other countries whose systems were infiltrated through the MOVEit Transfer software. The hackers took advantage of a security flaw that its maker, Progress Software, discovered late last month.
“We are working urgently to understand impacts and ensure timely remediation,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a statement.
British energy giant Shell, the Johns Hopkins University, the Johns Hopkins Health System and the University System of Georgia were also hit, they said in separate statements.
Shell spokeswoman Anna Arata said MOVEit Transfer is used by “a small number” of Shell employees and customers.
“There is no evidence of impact to Shell’s core IT systems,” she said. “There are around 50 users of the tool, and we are urgently investigating what data may have been impacted.”
Johns Hopkins said it was “investigating a recent cybersecurity attack targeting a widely used software tool that affected our networks, as well as thousands of other large organizations around the world.”
The University System of Georgia, which groups about 26 public colleges, said it was “evaluating the scope and severity of this potential data exposure” from the MOVEit hack.
Large organizations including the UK’s telecom regulator, British Airways, the BBC and drugstore chain Boots emerged as victims last week.
The UK telecom regulator said hackers stole data from its systems, while the personal information of tens of thousands of employees of British Airways, Boots and the BBC was also exposed.
CISA did not immediately respond to requests seeking further comment. The FBI and National Security Agency also did not immediately respond to emails seeking details on the breaches.
The United States does not expect any “significant impact” from the breach, CISA Director Jen Easterly told MSNBC.
MOVEit is typically used by organizations to transfer files between their partners or customers. A MOVEit spokesperson said the company had “engaged with federal law enforcement” and was working with customers to help them apply fixes to their systems.
New Vulnerability Found
Progress Software’s shares ended down 6.1% on Thursday. The company disclosed another “critical vulnerability” it found in MOVEit Transfer on Thursday, although it was not clear whether it had been exploited by hackers.
The online extortion group Cl0p, which has claimed credit for the MOVEit hack, has previously said it would not exploit any data taken from government agencies.
“IF YOU ARE A GOVERNMENT, CITY OR POLICE SERVICE DO NOT WORRY, WE ERASED ALL YOUR DATA,” the group said in a statement on its website.
Cl0p did not immediately responded to a request for comment.
John Hammond, a security researcher at Huntress, said MOVEit is used to transfer sensitive information, such as by bank customers to upload their financial data for loan applications.
“There’s a whole lot of potential for what an adversary might be able to get into,” he said earlier this month.
The news adds to a growing tally of victims of a sprawling hacking campaign that began two weeks ago and has hit major US universities and state governments. The hacking spree mounts pressure on federal officials who have pledged to put a dent in the scourge of ransomware attacks that have hobbled schools, hospitals and local governments across the US.
Since late last month, the hackers have been exploiting a flaw in widely used software known as MOVEit that companies and agencies use to transfer data. Progress Software, the US firm that makes the software, told CNN Thursday that a new vulnerability in the software had been discovered “that could be exploited by a bad actor.”
“We have communicated with customers on the steps they need to take to further secure their environments and we have also taken MOVEit Cloud offline as we urgently work to patch the issue,” the company said in a statement.
Agencies were much quicker Thursday to deny they’d been affected by the hacking than to confirm they were. The Transportation Security Administration and the State Department said they were not victims of the hack.
The Department of Energy “took immediate steps” to mitigate the impact of the hack after learning that records from two department “entities” had been compromised, the department spokesperson said.
“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said in a statement.
Johns Hopkins University in Baltimore and the university’s renowned health system said in a statement this week that “sensitive personal and financial information,” including health billing records may have been stolen in the hack.
