Posted on June 3, 2023 at 8:31 AM
Hackers Exploit A Flaw On The MOVEit File Transfer Tool To Conduct Attacks
Cybersecurity researchers have raised the alarm after hackers were detected exploiting a newly detected flaw present on one of the leading file transfer tool. The compromised file transfer tool is popular, and it is used by thousands of organizations to unveil a new wave of massive data exfiltration exploits.
Hackers launch mass hacking attacks
The vulnerability in question has been detected on the MOVEit Transfer managed file transfer (MFT) software that was created by Ipswitch. The latter is a subsidiary of Progress Software that is located in the United States. This software enables organizations to share large datasets and files through the internet.
The vulnerability in question was revealed by Progress, which revealed that it had detected a security flow within the MOVEit file transfer tool. The report further said that this security vulnerability could result in escalated privileges and potentially lead to unauthorized access to the targeted device. The report has urged those using the file transfer tool to disable the internet traffic to the MOVEit Transfer environment.
A patch to the vulnerability in question has already been released, with the Progress report urging users to ensure they have applied the patch to prevent the flaw from being exploited. The move comes after a report published by the US cybersecurity agency CISA, urged organizations in the US that relied on the file transfer tool to follow the appropriate mitigation measures and install updates to prevent malicious activity.
File transfer tools are a prime target for hackers
Corporate file transfer tools are increasingly being targeted by hackers because detecting a flaw in a leading enterprise system will enable the theft of data from several victims. Hackers that target such systems usually have access to a wide range of data.
One of the spokespersons for Progress, Jocelyn VerVelde, has failed to mention the number of organizations that are using the compromised file transfer tool. However, the website for this software says that the tool has been used by thousands of organizations globally.
Data from the Shodan search engine shows that there are over 2,500 MOVEit Transfer servers that can be located over the internet. The majority of these servers are located in Canada, Germany, the Netherlands, and the UK.
The flaw in question also affects the customers reliant on the MOVEit Transfer cloud platform. At least one of the exposed instances is linked to the US Department of Homeland Security and other large banks. These banks are believed to be among the users of the MOVEit platform.
The flaw has also been detected by some cybersecurity companies. A report by Mandiant said that the firm was investigating multiple intrusions linked to the vulnerability of the MOVEit software. The chief technology officer at Mandiant, Charles Carmakal, has said that there was evidence of data being exfiltrated from multiple victims.
The Huntress cybersecurity company has also published a blog post addressing the flaw. The company has said that one of its customers had reported an attack that had all the matching signs of compromise
The Rapid7 cybersecurity company has also said that there were signs of the flaw being exploited and data being stolen. The security firm noted that the exploit had happened on at least four separate incidents. The company noted that there was also evidence of the hackers behind the hack-automating exploits.
The date on which the exploit started has remained unclear. However, the GreyNoise threat intelligence startup company has said that it detected scanning activity on this breach as early as March 3. The company has urged all users to review their systems for any indications of unauthorized access that might have happened over the last three months.
Condon from Rapid7 has said that the behavior used by the attacker appeared to be more opportunistic than targeted. The researcher also noted that the exploitation appeared to be work of one threat actor that was conducting the exploits indiscriminately at the exposed targets.
The move marks the latest effort by hackers and extortion groups to target companies that offer file transfer systems. In January, a ransomware group based in Russia known as Clop admitted to being behind an exploit on the Fortra GoAnywhere managed file transfer software. At the time, over 130 organizations using the software were targeted.
The Clop ransomware gang also successfully exploited another leading file transfer tool in 2021. At the time, the group exploited the Accellion file-sharing tool to conduct attacks against several organizations, including banking giant Morgan Stanley.