What Happened?

On June 25, 2024, ReliaQuest became aware of CVE-2024-5806, a high-severity vulnerability impacting Progress Software’s secure file transfer service MOVEit Transfer. It is categorized as an improper authentication vulnerability in MOVEit’s secure file transfer protocol (SFTP) module. If exploited successfully, CVE-2024-5806 could allow a remote attacker to bypass authentication and gain unauthorized access to MOVEit’s file transfer and Gateway systems. A proof of concept exists that enables adversaries to replicate attacks.

Researchers have identified two attack scenarios related to this vulnerability. In one case, an attacker can perform “forced authentication” by using a malicious SMB server and a valid username. The second, more dangerous attack scenario allows threat actors to impersonate any user on the system, granting them access to read, modify, and delete sensitive data. Shortly after details of the vulnerability were published, security researchers reported that threat actors have actively exploited this vulnerability in the wild.

The following MOVEit versions are affected:

  • From 2023.0.0 before 2023.0.11
  • From 2023.1.0 before 2023.1.6
  • From 2024.0.0 before 2024.0.2

Why You Should Care

Progress Software’s advisory announcing the vulnerability emphasizes the urgent need for patching this vulnerability. MOVEit Transfer is widely used among organizations for secure file transfers. Mass exploitation may occur in the short-term future. This development poses a significant risk to organizations in the financial services sector, who commonly use managed file transfer software and manage sensitive customer information.

Last year, MOVEit transfer software was targeted in a series of “Cl0p” ransomware attacks that affected numerous organizations across the globe. Cl0p claimed to have stolen the data from hundreds of organizations by exploiting a flaw in MOVEit, making it one of the largest extortion campaigns we have ever observed by a ransomware group. In this latest vulnerability, an adversary would require a valid username on the system to conduct malicious activity, which helps limit the progress of automated attacks. As a result, the volume of attacks is not likely to be as high.

Nevertheless, the active exploitation of this high-severity vulnerability in MOVEit Transfer software remains a significant risk for affected organizations. The capability to bypass authentication mechanisms and potentially gain access to internal files is highly attractive to advanced persistent threat (APT) groups focused on espionage. Administrators should prioritize applying patches to mitigate the risk associated with this vulnerability.

What We Don’t Know

Currently, no intelligence has attributed the exploitation of this vulnerability to any specific group. However, previous exploitation of MOVEit file transfer has been conducted by financially motivated threat groups, including the Cl0p ransomware attacks. It is highly likely that opportunistic threat groups will take advantage of this vulnerability with the motivation of exfiltrating sensitive data for extortion purposes.

What You Should Do

Before applying patches or taking other mitigation steps, organizations should backup all systems to prevent data loss. Then, we recommend immediately applying the provided patch for MOVEit and upgrading the software to the latest version. However, continued post-patch exploitation of the previous MOVEit vulnerability in 2023 (CVE-2023-34362) suggests that the current vulnerability may remain exploitable despite the software vendor’s patch, due to incomplete remediation or the discovery of new attack vectors.

Regardless of whether the patch has been applied, we recommend limiting outbound access from MOVEit servers to trusted sources only and blocking public inbound RDP access to MOVEit servers. Additional steps include:

  • Conducting a thorough review of access control mechanisms and user privileges within the MOVEit transfer system to prevent unauthorized access.
  • Implementing network monitoring and intrusion detection systems to detect any suspicious activity related to this vulnerability.

What ReliaQuest Is Doing

  • Our ReliaQuest Threat Research team is monitoring the situation closely and has released an initial threat advisory for customers. This advisory will be updated as information about this activity arises.
  • At the time of writing, our intelligence feeds are being continually updated with unique indicators of compromise as they are identified.
  • The ReliaQuest Threat Hunting team is investigating for signs of exploitation across customer environments. We have also started researching detection opportunities using unique telemetry to deploy content across the ReliaQuest customer base for detecting signs of exploitation.

We will continue to monitor this vulnerability and provide updates as new developments occur.