Hackers exploited a newly discovered vulnerability in a popular file transfer tool used by thousands of organizations to launch a new wave of mass data exfiltration attacks, alarming security researchers.
MOVEit Transfer, developed by Ipswitch, a subsidiary of Progress Software, allows organizations to share large files and data sets over the internet. On Wednesday, Progress announced a MOVEit Transfer vulnerability that “could lead to escalated privileges and potential unauthorized access to the environment” and advised users to disable internet traffic to their environment.
Progress recommends customers apply patches immediately.
CISA advises U.S. organizations to follow Progress’ mitigation steps, apply updates, and look for malicious activity.
Hackers are targeting corporate file-transfer tools because they can steal data from multiple victims.
Progress’s website states that “thousands of organizations around the world” use the affected file transfer tool, but Jocelyn VerVelde, a Progress spokesperson through an outside PR agency, declined to say how many. Shodan, a search engine for publicly exposed devices and databases, finds over 2,500 MOVEit Transfer servers, most of which are in the US, U.K., Germany, the Netherlands, and Canada.
According to security researcher Kevin Beaumont, MOVEit Transfer cloud customers are also vulnerable. According to Beaumont, several “big banks” and the U.S. Department of Homeland Security are MOVEIt customers.
Security firms report seeing exploitation.
Mandiant is investigating “several intrusions” exploiting the MOVEit vulnerability. Mandiant CTO Charles Carmakal confirmed that Mandiant had “seen evidence of data exfiltration at multiple victims.”
In a blog post, Huntress cybersecurity startup said a customer saw “a full attack chain and all the matching indicators of compromise.”
Rapid7, meanwhile, reported “at least four separate incidents” of exploitation and data theft. Rapid7 senior security research manager Caitlin Condon said the company has seen evidence that attackers may have automated exploitation.
Threat intelligence startup GreyNoise observed scanning activity as early as March 3 and advises users to check systems for signs of unauthorized access within the past 90 days.
Who exploited MOVEit servers massively is unknown.
Rapid7’s Condon told that the attacker’s behavior appears to be “opportunistic rather than targeted” and “could be the work of a single threat actor throwing one exploit indiscriminately at exposed targets.”
Hackers and extortion groups are targeting enterprise file transfer systems again.
The Russia-linked Clop ransomware gang exploited a Fortra GoAnywhere managed file transfer software vulnerability in January. NationBenefits, Brightline, and Toronto were among the 130 GoAnywhere users targeted.
In 2021, Clop attacked another popular file transfer tool. The gang used Accellion’s file-sharing tool to attack Morgan Stanley, the University of California, Kroger, and Jones Day.