MOVEit: Attempted exploitation of critical vulnerability

Progress disclosed the authentication bypass vulnerability Tuesday and ‘very shortly after’ began seeing attempted exploits, according to Shadowserver researchers.

MOVEit: Critical vulnerability under active exploitation

Image:
MOVEit: Critical vulnerability under active exploitation

Progress disclosed a critical new vulnerability in MOVEit Transfer Tuesday and “very shortly after” began seeing attempted exploits by hackers, according to researchers at Shadowserver.

The disclosure comes just over a year after widespread attacks targeted a prior vulnerability in Progress' MOVEit file transfer tool, ultimately compromising thousands of organisations in what turned out to be one of the biggest data heists in recent years.

The new critical vulnerability in MOVEit Transfer (tracked at CVE-2024-5806) can enable a threat actor to bypass authentication and has received a severity rating of 9.1 out of 10.0. The bug affects several versions of MOVEit Transfer, and Progress has made patches available for the affected versions.

"If you have not done so already, we strongly urge all MOVEit Transfer customers on versions 2023.0, 2023.1 and 2024.0 to upgrade to the latest patched version immediately," the company said in an advisory.

In a post on X on Tuesday, researchers at threat tracker Shadowserver said they began to observe attempted exploits of the flaw "very shortly after vulnerability details were published."

In a statement provided to Computing, Progress said that "currently, we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct operational impact to customers."

Meanwhile, for MOVEit Cloud customers, "no further action is needed as the MOVEit Transfer patch has already been deployed to MOVEit Cloud," Progress said in its advisory on Tuesday.

Anniversary of 2023 MOVEit attacks

In the attacks a year ago, the Russian-speaking cybercriminal group Clop exploited a critical vulnerability in MOVEit to steal data from an estimated 2,773 organizations, according to a tally by cybersecurity firm Emsisoft.

Companies included the MOVEit data extortion campaign included IBM, Cognizant and Deloitte, PricewaterhouseCoopers and Ernst & Young, while affected government agencies included the Louisiana Office of Motor Vehicles and the Oregon Driver and Motor Vehicles division.

In one notable case, a MOVEit-related incident resulted in numerous downstream breaches of organisations that used a major third-party vendor. The breach of PBI Research Services became the largest single MOVEit-related incident, in terms of total individuals impacted, after data from 13.8 million individuals was ultimately compromised, according to the US Identity Theft Resource Center.

A total of nearly 96 million individuals are known to have been impacted in the attacks, according to the Emsisoft tally.

This article was first published on CRN.