MOVEit Transfer Flaws Push Security Defense Into a Race With Attackers

Attackers appear to be pounding away at a couple of critical bugs that Progress Software disclosed this week in its MOVEit file transfer application, with nearly the same ferocity as they did the zero-day flaw the company disclosed almost exactly a year ago.

While patches are available for the new flaws, the big question now for affected organizations is whether they can apply them quickly enough to beat adversaries targeting their systems, especially with a proof-of-concept (PoC) exploit available in the wild.

Patching Alone Is Insufficient

Even those that might have already applied updates have more work to do because the original patch that Progress issued for one of the flaws does not mitigate new issues that the software maker discovered after the patch release.

The new MOVEit Transfer vulnerabilities are both improper authentication issues in the SFTP module. They allow an attacker to potentially impersonate any user on an affected instance and take control of it. One of the flaws, tracked as CVE-2024-5806, affects MOVEit Transfer versions from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2. The other, identified as CVE-2024-5805, affects MOVEit Gateway: 2024.0.0.

When Progress first disclosed CVE-2024-5806 on June 25, the company assigned the flaw a medium-severity score of 7.4 out of a maximum possible 10 on the CVSS scale. Progress quickly upgraded that score to 9.1 after researchers at watchTowr discovered a vulnerability in a third-party component (IPWorks SSH) used in MOVEit Transfer. Progress described the issue as introducing new risks to organizations, including those that might have already applied the patch for CVE-2024-5806.

In an update to its original advisory, Progress urged affected organizations to install the patch and also block public inbound RDP access to MOVEit Transfer servers and limit outbound transfers to only known and trusted endpoints.

An Internet scan that Censys conducted on June 25 unearthed some 2,700 MOVEit Transfer instances online, most of them in the US. Internet scanning entity ShadowServer, which reported observing exploit attempts targeting CVE-2024-5806 almost immediately after Progress disclosed the flaw, identified some 1,800 instances online as of June 27.

Relatively Easy to Exploit

"Based on our understanding of the vulnerability, exploitation doesn't appear exceptionally difficult," says Emily Austin, principal security researcher at Censys. In theory, an actor would need to identify an unpatched MOVEit Transfer instance and know a valid username for accessing the service, she says. "While knowing a valid username might seem like a hurdle, a little OSNIT combined with watchTowr researchers' discovery of a method for enumerating valid MOVEit Transfer instance usernames makes this somewhat trivial," Austin notes.

The new flaws come a year after Progress disclosed CVE-2023-34362, a SQL injection zero-day vulnerability in MOVEit Transfer that ranked as one of the most widely exploited flaws of 2023. The Cl0p ransomware group, which claimed credit for discovering the flaw, was among the many that exploited it with devastating affect last year.

Affected organizations cannot afford to delay given how widely they are being targeted, says Mike Walters, president and co-founder of Action1. "The consequences can be devastating because these vulnerabilities allow an attacker to take over the server," Walters says. "With a CVSS score of 9.1 and a PoC available, the vulnerability will likely be added to the toolkit of leading APT groups rather quickly." If the companies that were attacked last time have not ramped up their information security in any way, the consequences for them could well be the same as last time, he warns.

Austin says CVE-2024-5806 is somewhat more complex than the SQL injection bug in MOVEit Transfer that Cl0p exploited throughout 2023. Even so, instance administrators should still take the new flaw very seriously and follow mitigation guidance provided by Progress Software, she says.

"We don't have a way to see exploitation or patch status of MOVEit Transfer instances, but we know that as of Tuesday, June 25, 2024, there are 2,700 MOVEit Transfer instances exposed to the Internet," Austin says. "This is very similar to the number of MOVEit Transfer exposures we observed around this time last year, suggesting that the tool is still widely used in spite of various security issues."

Cause for Optimism?

Despite the severity of the threat, there is still some optimism that the new flaws that Progress disclosed this week — especially CVE-2024-5806 — won't cause quite as much damage as last year's SQL injection flaw because patches are already available.

At this time, it seems unlikely that the exploitation of this vulnerability will be as widespread as last year's massive campaign exploiting CVE-2023-34362, says Paul Prudhomme, principal security analyst at SecurityScorecard. "That was a zero-day vulnerability, giving threat actors more time to exploit it before a patch became available," he says. "In this case, threat actors have less time because patches are already available; the most that they can do is take advantage of organizations’ delays in patching it, so this window of time is crucial to minimizing its impact."

Prudhomme reiterates that patching alone is not sufficient against vulnerabilities such as CVE-2024-5806. "A layered security approach, combining patching with threat intelligence and proactive risk management, is essential," he says. "Organizations can build resilience against evolving cyber threats by prioritizing a multifaceted approach to security.”