MOVEit Transfer has a major security issue – here’s what you need to know
The dust hasn’t even settled properly around the GoAnywhere MFT fiasco, and we already have another enterprise secure file transfer solution breached and abused for data theft.
This time it’s MOVEit Transfer, a managed file transfer (MFT) solution built by a Ipswitch, a subsidiary of a company called Progress.
The company has confirmed the discovery of a “critical” vulnerability, and urged its users to apply a workaround immediately in anticipation of an official patch.
Privilege escalation
“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment,” the company’s announcement states.
“If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment, while our team produces a patch.”
The company says that users should block external traffic to ports 80 and 443, which will most likely prevent external access to the web UI, as well as some automation tasks. APIs will stop working, as will the Outlook plugin, but customers can still use SFTP and FTP/s protocols to transfer files between endpoints.
Furthermore, the users should inspect the ‘c:MOVEit Transferwwwroot’ folder for unexpected files, backups or large file downloads, as that seems to be the number one indicator of compromise, BleepingComputer also reported.
The details about the flaw and its abusers itself are still missing. We know it’s a zero-day, and that it can be used to extract sensitive files from the users. Cybersecurity researchers from Rapid7 believe this is an SQL injection flaw that allows for remote code execution. No CVE has yet been assigned.
We also don’t know the flaw’s impact, but BleepingComputer has said its sources tell it “numerous organizations” have had their data stolen so far. There are at least 2,500 exposed transfer servers, mostly located in the United States.
It’s safe to assume the attackers will try to extort money from the victims, in exchange for keeping the data private.
Via: BleepingComputer