The simple action of copying files from one location to another over the Internet has turned out to be quite the data breach hazard, thanks to some less than obvious yet devastating bugs in the supposedly secure applications used for the transfers.
This is something that local organisations need to be on the lookout for as well. In December 2020, hackers were able to exploit a bug in the Accelion File Transfer Application, which the Reserve Bank of New Zealand used at the time to share and store sensitive information - some of which was stolen.
Now, another such application, Progress Software’s MOVEit file transfer utility, has again been found by security researchers to contain a critical flaw that lets attackers bypass authentication. This is as you can imagine, a “game over” scenario that can expose sensitive information to anyone.
The name MOVEit may seem familiar if you keep an eye on infosec news. A year ago in June, bugs in MOVEit were exploited by hackers to compromise hundreds, maybe thousands, of large organisations such as the BBC, chip maker TSMC, Australia’s Medibank insurer and others. The Cl0p ransomware raiders were quick to have a go at MOVEit to steal information.
Last year’s bugs were easy enough to abuse to steal information affecting millions of people, but the current one requires a little more work. This includes figuring out valid user names, which isn’t that hard for attackers. It’s actually two problems in the MOVEit software that researchers at security vendor watchTwr Labs found could be used by attackers to gain access.
Progress Software has rated the vulnerability as “critical” which is bad as it gets, and gave it a severity rating of 9.1 out of 10 possible. “If you have not done so already, we strongly urge all MOVEit Transfer customers on versions 2023.0, 2023.1 and 2024.0 to upgrade to the latest patched version immediately.” Progress Software said.
The current flaw is serious enough for the United States government’s Cybersecurity and Infrastructure Agency (CISA) to notice, and issue an alert over the weekend.
Now that the cat’s out of the bag, with the vulnerability details disclosed, hackers are hunting for unpatched MOVEit systems over the Internet to break into. Scan data from Europe’s ShadowServer Foundation, which tracks vulnerable systems, point to lots of targets out there, including 28 unpatched systems in the Oceania region as of writing.
Update July 6 2024 The corporate communications director of Progress, Kim Baker, told interest.co.nz that it is not accurate that watchTwr found a new flaw in MoveIT.
"Identifying, responsibly disclosing, and promptly releasing fixes for vulnerabilities has always been a core component of our cyber security practices. We internally confirmed vulnerabilities in MOVEit Transfer and MOVEit Gateway, notified those customers and made patches available," Baker said.
"Currently, we have not received any reports that these vulnerabilities have been exploited and we are not aware of any direct operational impact to customers,' Baker added.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.