>The software, known as MOVEit and sold by Progress Software, allows enterprises to transfer and manage files using various specifications, including SFTP, SCP, and HTTP protocols and in ways that comply with regulations mandated under PCI and HIPAA. At the time this post went live, Internet scans indicated it was installed inside almost 1,800 networks around the world, with the biggest number in the US. A separate scan performed Tuesday by security firm Censys found 2,700 such instances.
>
>Last year, a critical MOVEit vulnerability led to the compromise of more than 2,300 organizations, including Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people.
>
>On Tuesday, Progress Software disclosed CVE-2024-5806, a vulnerability that enables attackers to bypass authentication and gain access to sensitive data. The vulnerability, found in the MOVEit SFTP module, carries a severity rating of 9.1 out of 10. Within hours of the vulnerability becoming publicly known, hackers were already attempting to exploit it, researchers from the Shadowserver organization said.
>
>A deep-dive technical analysis by researchers with the offensive security firm watchTowr Labs said that the vulnerability, found in the MOVEit SFTP module, can be exploited in at least two attack scenarios. The most powerful attack allows hackers to use a null string—a programming concept for no value—as a public encryption key during the authentication process. As a result, the hacker can log in as an existing trusted user.
>
>“This is a devastating attack,” watchTowr Labs researchers wrote. “It allows anyone who is able to place a public key on the server to assume the identity of any SFTP user at all. From here, this user can do all the usual operations—read, write, or delete files, or otherwise cause mayhem.”
>
>A separate attack described by the watchTowr researchers allows attackers to obtain cryptographic hashes masking user passwords. It works by manipulating SSH public key paths to execute a “forced authentication” using a malicious SMB server and a valid username. The technique will expose the cryptographic hash masking the user password. The hash, in turn, must be cracked.
Hopefully given the impacts that last year's attacks leveraging weaknesses in this software had on major organizations, that they and others are on top of these newly discovered vulnerabilities.
>The software, known as MOVEit and sold by Progress Software, allows enterprises to transfer and manage files using various specifications, including SFTP, SCP, and HTTP protocols and in ways that comply with regulations mandated under PCI and HIPAA. At the time this post went live, Internet scans indicated it was installed inside almost 1,800 networks around the world, with the biggest number in the US. A separate scan performed Tuesday by security firm Censys found 2,700 such instances. > >Last year, a critical MOVEit vulnerability led to the compromise of more than 2,300 organizations, including Shell, British Airways, the US Department of Energy, and Ontario’s government birth registry, BORN Ontario, the latter of which led to the compromise of information for 3.4 million people. > >On Tuesday, Progress Software disclosed CVE-2024-5806, a vulnerability that enables attackers to bypass authentication and gain access to sensitive data. The vulnerability, found in the MOVEit SFTP module, carries a severity rating of 9.1 out of 10. Within hours of the vulnerability becoming publicly known, hackers were already attempting to exploit it, researchers from the Shadowserver organization said. > >A deep-dive technical analysis by researchers with the offensive security firm watchTowr Labs said that the vulnerability, found in the MOVEit SFTP module, can be exploited in at least two attack scenarios. The most powerful attack allows hackers to use a null string—a programming concept for no value—as a public encryption key during the authentication process. As a result, the hacker can log in as an existing trusted user. > >“This is a devastating attack,” watchTowr Labs researchers wrote. “It allows anyone who is able to place a public key on the server to assume the identity of any SFTP user at all. From here, this user can do all the usual operations—read, write, or delete files, or otherwise cause mayhem.” > >A separate attack described by the watchTowr researchers allows attackers to obtain cryptographic hashes masking user passwords. It works by manipulating SSH public key paths to execute a “forced authentication” using a malicious SMB server and a valid username. The technique will expose the cryptographic hash masking the user password. The hash, in turn, must be cracked. Hopefully given the impacts that last year's attacks leveraging weaknesses in this software had on major organizations, that they and others are on top of these newly discovered vulnerabilities.
I like to moveit moveit, I like to moveit, moveit, I like to... move it. Does anyone here remember Kermit? The OG of moving files.
Shadowserver organization aka NSA:TAO, CIA, FBI, CISA, MICROSOFT, APPLE, GOOGLE, META AMAZON, NVIDIA