New MOVEit Bug Actively Exploited Within Hours of Public Disclosure

A high-severity security flaw in Progress Software's MOVEit Transfer platform is being exploited in the wild just hours after its disclosure. This vulnerability, identified as CVE-2024-5806, allows attackers to bypass authentication mechanisms and pose as any valid user, thereby gaining access to sensitive files.

Overview of the Vulnerability

MOVEit Transfer, a popular application for file sharing and collaboration in large enterprises, has been targeted in previous cyberattacks, including last year's Cl0p ransomware incidents that affected major entities like British Airways, Siemens, and UCLA. The latest vulnerability, CVE-2024-5806, is an improper authentication issue in the platform's SFTP module. It impacts versions from 2023.0.0 before 2023.0.11, 2023.1.0 before 2023.1.6, and 2024.0.0 before 2024.0.2 of MOVEit Transfer.

Immediate Patch Requirement

Admins are urged to patch this vulnerability immediately. MOVEit Transfer is already a target for cybercriminals due to previous high-profile breaches. The ability to access internal files at Fortune 1000 companies makes this vulnerability particularly attractive to advanced persistent threats (APT) and espionage-focused cybercriminals.

Active Exploitation in the Wild

According to the nonprofit Shadowserver Foundation, exploit attempts were observed shortly after the vulnerability details were published. There are at least 1,800 exposed instances online, although not all are necessarily vulnerable.

Technical Insights

Researchers at watchTowr have detailed two attack scenarios exploiting this vulnerability. In one scenario, attackers can perform "forced authentication" using a malicious SMB server and a valid username, potentially discovered through a dictionary attack. The more dangerous scenario involves threat actors impersonating any user on the system by uploading an SSH public key to the server without logging in. This allows attackers to authenticate as any user and perform actions such as reading, modifying, and deleting sensitive data.

Protective Measures and Recommendations

Given the severity and active exploitation of CVE-2024-5806, immediate actions are necessary:

Conclusion

The newly disclosed MOVEit Transfer vulnerability CVE-2024-5806 highlights the critical importance of prompt patching and robust cybersecurity practices. By staying vigilant and implementing comprehensive security measures, organizations can better protect their digital assets from such high-severity threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.