At least one cybersecurity researcher is reporting that threat actors have begun exploiting a new vulnerability discovered in MOVEit Transfer less than a day after it was disclosed.
The critical flaw, designated CVE-2024-5806, could allow threat actors to bypass the application’s authentication process potentially providing the threat actor with access to sensitive data and the ability to upload, download, delete, or otherwise tamper with files located on the affected server.
The potential exploitation of CVE-2024-5806 was made easier with the release of at least one proof-of-concept (PoC) exploit code as well as technical details regarding the vulnerability.
The maker of MOVEit Transfer, Progress Software, has released new versions of the software that address CVE-2024-5806 and is encouraging its users to upgrade as soon as possible.
However, a separate vulnerability in a third-party component used by MOVEit Transfer, which elevates the risks associated with CVE-2024-5806, was discovered. Until a patch is available from that third-party vendor, Progress advised users to block Remote Desktop Protocol (RDP) access to MOVEit Transfer servers and restrict outbound connection to trusted endpoints.
Source: Bleeping Computer
Analysis
Secure data transfer services, such as MOVEit and FTP servers, are popular targets for exploitation, given the nature of the data they secure and the desirable list of organizations using them.
For example, in 2023, a zero-day vulnerability in MOVEit Transfer presented a golden opportunity for threat actors looking for access to the networks of high-profile organizations like the BBC and British Airways. It also impacted the government of Nova Scotia, resulting in the theft of social insurance numbers, addresses, and banking information of 100,000 current and former provincial employees. Furthermore, one ransomware actor, known as Cl0p, named 27 companies it claims to have hacked using the MOVEit vulnerability.
Fortunately, CVE-2024-5806 was disclosed and patched before threat actors were able to discover the flaw on their own. However, given how quickly threat actors were able to exploit it after it was disclosed, it’s imperative that MOVEit Transfer users patch as quickly as possible.
Mitigation
Field Effect’s team of Security Intelligence professionals constantly monitors the cyber threat landscape for potential security concerns in software such as MOVEit Transfer. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of potential vulnerabilities.
Field Effect MDR users were already notified if an affected version of MOVEit Transfer software was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users of impacted versions of MOVEit Transfer to install the latest security updates as soon as possible in accordance with Progress’s advisory.
If your organization uses a secure data transfer service, ensure proper mitigations are in place to detect unauthorized access, misconfigurations, and data theft before a vulnerability is officially announced.
Related Articles
