MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers

  /     /     /  
Publicated : 23/11/2024   Category : security


MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers


While Progress has released patches for the vulnerabilities, attackers are trying to exploit them before organizations have a chance to remediate.



Attackers appear to be pounding away at a couple of critical bugs that
Progress Software disclosed this week
in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a year ago.
While patches are available for the new flaws, the big question now for affected organizations is whether they can apply them quickly enough to beat adversaries targeting their systems, especially with a proof-of-concept (PoC) exploit available in the wild.
Even those that might have already applied updates have more work to do because the original patch that Progress issued for one of the flaws does not mitigate new issues that the software maker discovered after the patch release.
The new MOVEit Transfer vulnerabilities are both improper authentication issues in the SFTP module. They allow an attacker to potentially impersonate any user on an affected instance and take control of it. One of the flaws, tracked as
CVE-2024-5806
, affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. The other, identified as
CVE-2024-5805
, affects MOVEit Gateway: 2024.0.0.
When Progress first disclosed CVE-2024-5806 on June 25, the company assigned the flaw a medium-severity score of 7.4 out of a maximum possible 10 on the CVSS scale. Progress quickly upgraded that score to 9.1 after researchers at
watchTowr
discovered a vulnerability in a third-party component (
IPWorks SSH
) used in MOVEit Transfer. Progress described the issue as introducing new risks to organizations, including those that might have already applied the patch for CVE-2024-5806.
In an update to its original advisory, Progress urged affected organizations to install the patch and also block public inbound RDP access to MOVEit Transfer servers and limit outbound transfers to only known and trusted endpoints.
An Internet scan that
Censys conducted on June 25
unearthed some 2,700 MOVEit Transfer instances online, most of them in the US. Internet scanning entity ShadowServer, which reported observing exploit attempts targeting CVE-2024-5806
almost immediately
after Progress disclosed the flaw, identified some
1,800 instances
online as of June 27.
Based on our understanding of the vulnerability, exploitation doesnt appear exceptionally difficult, says Emily Austin, principal security researcher at Censys. In theory, an actor would need to identify an unpatched MOVEit Transfer instance and know a valid username for accessing the service, she says. While knowing a valid username might seem like a hurdle, a little OSNIT combined with watchTowr researchers discovery of a method for enumerating valid MOVEit Transfer instance usernames makes this somewhat trivial, Austin notes.
The new flaws come a year after Progress disclosed
CVE-2023-34362
, a SQL injection zero-day vulnerability in MOVEit Transfer that ranked as one of the most widely exploited flaws of 2023. The Cl0p ransomware group, which claimed credit for discovering the flaw, was among the many that exploited it with devastating affect last year.
Affected organizations cannot afford to delay given how widely they are being targeted, says Mike Walters, president and co-founder of Action1. The consequences can be devastating because these vulnerabilities allow an attacker to take over the server, Walters says. With a CVSS score of 9.1 and a PoC available, the vulnerability will likely be added to the toolkit of leading APT groups rather quickly. If the companies that were attacked last time have not ramped up their information security in any way, the consequences for them could well be the same as last time, he warns.
Austin says CVE-2024-5806 is somewhat more complex than the SQL injection bug in MOVEit Transfer that Cl0p exploited throughout 2023. Even so, instance administrators should still take the new flaw very seriously and follow mitigation guidance provided by Progress Software, she says.
We dont have a way to see exploitation or patch status of MOVEit Transfer instances, but we know that as of Tuesday, June 25, 2024, there are 2,700 MOVEit Transfer instances exposed to the Internet, Austin says. This is very similar to the number of MOVEit Transfer exposures we observed around this time last year, suggesting that the tool is still widely used in spite of various security issues.
Despite the severity of the threat, there is still some optimism that the new flaws that Progress disclosed this week — especially CVE-2024-5806 — wont cause quite as much damage as last years SQL injection flaw because patches are already available.
At this time, it seems unlikely that the exploitation of this vulnerability will be as widespread as last years massive campaign exploiting CVE-2023-34362, says Paul Prudhomme, principal security analyst at SecurityScorecard. That was a zero-day vulnerability, giving threat actors more time to exploit it before a patch became available, he says. In this case, threat actors have less time because patches are already available; the most that they can do is take advantage of organizations’ delays in patching it, so this window of time is crucial to minimizing its impact.
Prudhomme reiterates that patching alone is not sufficient against vulnerabilities such as CVE-2024-5806. A layered security approach, combining patching with threat intelligence and proactive risk management, is essential, he says. Organizations can build resilience against evolving cyber threats by prioritizing a multifaceted approach to security.”

Last News

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security

▸ There are plenty of online tools for reporting bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers