Categories
Blog

MOVEit under attack, once again. Critical Vulnerability exploited at large (CVE-2024-5806) 

Home » Blog » MOVEit under attack, once again. Critical Vulnerability exploited at large (CVE-2024-5806) 

MOVEit under attack, once again. Critical Vulnerability exploited at large (CVE-2024-5806) 

Data of more than 16 million was exposed last year, affecting more than 160 organizations worldwide with an estimated cost of $3 billion worldwide (real cost unknown) due to Cl0p ransomware attack that targeted a popular file transfer tool called MOVEit Transfer.   

The group infected the tool with malware, encrypting users’ files through remote code execution. It impacted big companies like SIEMENS, Ernst & Young, BBC, Extreme Networks, Norton, and PWC.  

The MOVEit attack was one of the biggest attacks to date. It was so big that the US State Department issued a bounty of $10 million for information on the Clop ransomware group.   

MOVEit under threat of attacks, again  

MOVEit is a popular file-transferring tool preferred globally for transferring large files.

MOVEit has, yet again, become a target of many ransomware groups and threat actors worldwide. Attackers are actively targeting a high-severity vulnerability in the MOVEit Transfer tool that allows them to access authentication features. It is actively being exploited since the vulnerability was made public. 

About the vulnerability (CVE-2024-5806) 

The newly discovered vulnerability in MOVEit is a high-severity Improper Authentication vulnerability (CVSS 9.1) found in the SFTP module.   

As per Progress, the maker of MOVEit, the vulnerability can lead to “authentication bypass in limited scenarios” affecting the different versions of the MOVEit Transfer tool from 2023.0.0 before 2023.0.11 from 2023.1.0 before 2023.1.6 and from 2024.0.0 before 2024.0.2.  

Users of the versions, 2023.0, 2023.1, and 2024.0 are advised to update the software.  

Additionally, Progress has also advised customers to implement all the measures to mitigate third-party vulnerability that was recently fixed by Progress on 11 June.  

As per security experts, there are two plausible ways through which an attacker can effectively exploit this vulnerability (watchTowr): 

Scenario A  

Attackers could use a malicious SMB server to perform a forced authentication and use a dictionary attack to generate a valid username.  

Scenario B 

An attacker can impersonate a valid user in the system by uploading the SSH public key to a server without logging in and using the authenticated key to authenticate anyone, allowing them to read, modify, and delete previously protected sensitive files.  

SharkStriker’s recommendations and actions

  • Threat hunters from our SOC team scanned the partners’ and customers’ environments based on all the Indicators of Compromise (IoC) available. 
  • All the customers and partners using the software released from 2023.0.0 before 2023.0.11 from 2023.1.0 before 2023.1.6, and from 2024.0.0 before 2024.0.2 are advised to upgrade to the latest version of the MOVEit Transfer software.  
  • A MOVEit’s third-party component was under threat recently. It presents a new risk if it is not patched with the update distributed on June 11 by Progress.    
  • The following are the steps to be followed to mitigate third-party vulnerability: 
  • Verify whether you have blocked inbound public RDP access to MOVEit Transfer server/servers.  
  • Limiting the outbound access to only known and trusted endpoints from the MOVEit servers.  
  • STRIEGO offers multiple dashboards that can help customers track their security posture. 

Services

Experience end-to-end management
of statutory and regulatory compliance
through our dedicated service for compliance

Explore More >

Latest Post

All
Blog

Leave a Reply

Your email address will not be published. Required fields are marked *