Image Credits: Lino Mirgeler/picture alliance via Getty Images
Security researchers are sounding the alarm after hackers were caught exploiting a newly discovered vulnerability in a popular file transfer tool used by thousands of organizations to launch a new wave of mass data exfiltration attacks.
The vulnerability affects the MOVEit Transfer managed file transfer (MFT) software developed by Ipswitch, a subsidiary of U.S.-based Progress Software, which allows organizations to share large files and datasets over the internet. Progress confirmed on Wednesday that it had discovered a vulnerability in MOVEit Transfer that “could lead to escalated privileges and potential unauthorized access to the environment,” and urged users to disable internet traffic to their MOVEit Transfer environment.
Patches are available and Progress is urging all customers to apply it urgently.
U.S. cybersecurity agency CISA is also urging U.S. organizations to follow Progress’ mitigation steps, apply the necessary updates and hunt for any malicious activity.
Corporate file-transfer tools have become an increasingly attractive target for hackers, as finding a vulnerability in a popular enterprise system can allow the theft of data from multiple victims.
Jocelyn VerVelde, a spokesperson for Progress via an outside public relations agency, declined to say how many organizations use the affected file transfer tool, though the company’s website states that the software is used by “thousands of organizations around the world.” Shodan, a search engine for publicly exposed devices and databases, reveals more than 2,500 MOVEit Transfer servers discoverable on the internet, most of which are located in the United States, as well as the U.K., Germany, the Netherlands and Canada.
The vulnerability also impacts customers who rely on the MOVEit Transfer cloud platform, according to security researcher Kevin Beaumont. At least one exposed instance is connected to the U.S. Department of Homeland Security and several “big banks” are also believed to be MOVEIt customers also to be affected, according to Beaumont.
Several security companies say they have already observed evidence of exploitation.
Mandiant said it is investigating “several intrusions” related to the exploitation of the MOVEit vulnerability. Mandiant chief technology officer Charles Carmakal confirmed that Mandiant had “seen evidence of data exfiltration at multiple victims.”
Cybersecurity startup Huntress said in a blog post that one of its customers has seen “a full attack chain and all the matching indicators of compromise.”
Security research firm Rapid7, meanwhile, confirmed it had observed signs of exploitation and data theft from “at least four separate incidents.” Caitlin Condon, senior manager of security research at Rapid7, said that the company has seen evidence that attackers may have begun automating exploitation.
While it’s unclear exactly when exploitation began, threat intelligence startup GreyNoise said it has observed scanning activity as early as March 3 and urges users to review systems for any indicators of unauthorized access that may have occurred within the past 90 days.
It’s not known who is yet responsible for the mass exploitation of MOVEit servers.
Rapid7’s Condon told TechCrunch that the attacker’s behavior appears to be “opportunistic rather than targeted,” adding that this “could be the work of a single threat actor throwing one exploit indiscriminately at exposed targets.”
It’s the latest effort by hackers and extortion groups to target enterprise file transfer systems in recent years.
In January, the Russia-linked Clop ransomware gang claimed responsibility for the mass exploitation of a vulnerability in Fortra’s GoAnywhere managed file transfer software. More than 130 organizations using GoAnywhere were targeted, including Florida-based healthcare company NationBenefits, virtual therapy provider Brightline and the City of Toronto.
Clop was also behind another widespread attack on another popular file transfer tool in 2021. The gang breached Accellion’s file-sharing tool to launch attacks against a number of organizations, including Morgan Stanley, the University of California, grocery giant Kroger and law firm Jones Day.