Analysis Summary

A high-severity security flaw in Progress Software's MOVEit Transfer program might enable threat actors to circumvent the platform's authentication safeguards, and just a few hours after it was made public, it is already being actively exploited by attackers.

Large-scale businesses use MOVEit Transfer for file sharing and collaboration. It was notoriously the target of a wave of Cl0p ransomware attacks last year that impacted at least 160 victims, including Siemens, UCLA, British Airways, and the state of Maine. The level of mass exploitation was such that it materially affected the results of this year's "Data Breach Investigations Report" (DBIR) from Verizon.

Progress has released a security advisory on the new vulnerability (CVE-2024-5806, CVSS: 7.4), which also includes patching information. The advisory describes the bug as an incorrect authentication vulnerability in MOVEit's SFTP module that, in certain circumstances, can result in an authentication bypass. Versions of MOVEit Transfer 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2 are affected.

Administrators should fix the flaw right away because, in addition to being a prime target for threat actors following the events of the previous year, MOVEit's ability to access internal information at Fortune 1000 firms makes it an attractive target for any advanced persistent threat (APT) with espionage aspirations. Furthermore, researchers began witnessing Progress MOVEit Transfer CVE-2024-5806 POST /guestaccess.aspx attack attempts very soon after vulnerability information was disclosed. Additionally, it stated that, while not all of the exposed instances are susceptible, there are at least 1,800 online.

While Progress did not disclose any information about the flaw, researchers were able to identify two possible attack scenarios and described the vulnerability as very odd. In one instance, an attacker may utilize a malicious SMB server and a legitimate login (made possible by a dictionary-attack technique) to carry out forced authentication.

A threat actor may pose as any user on the system in a different, more serious attack. Without ever signing in, they may upload their SSH public key to the server and use that material to authenticate as any user they like. From that point on, the attacker gets full user control over accessing, editing, and erasing previously secured and probably private data.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Data Manipulation
• Cyber Espionage

Indicators of Compromise

CVE

• CVE-2024-5806

Affected Vendors

Remediation

• Refer to the Progress Website for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.