Progress Software, developer of the compromised MOVEit file transfer tool, is urging IT managers to temporarily disable direct internet access to the application after a new vulnerability was found and news of more hacked organizations emerge.
On Thursday, Progress said a critical vulnerability — which had yet to be given a CVE number — needed immediate mitigation.
That included disabling all HTTP and HTTPs traffic to on-premises MOVEit installations to help prevent unauthorized access, and modifying firewall rules to deny web traffic to MOVEit on ports 80 and 443 until the latest patches can be installed.
Until web access can be enabled, users won’t be able to log into the MOVEit Transfer web user interface. MOVEit Automation tasks that use the native MOVEit Transfer host will not work, nor will REST, Java and .NET APIs, or the MOVEit Transfer add-in for Microsoft Outlook.
However, SFTP and FTP/s protocols will continue to work as normal.
As a workaround, administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine, and then accessing https://localhost/.
The company also said MOVEit Cloud has been patched and fully restored across all cloud clusters.
The new vulnerability is unrelated to the hole (CVE-2023-34362) found by the Clop ransomware gang that has been exploited against a number of companies including Shell, British Airways, the BBC and the Nova Scotia government, and a trio of vulnerabilities (CVE-2023-35036) acknowledged by Progress last week.
Tony Anscombe, chief security evangelist at ESET, noted that disabling web access stops a hacker who has already breached an organization’s network perimeter through compromised credentials from exploiting MOVEit vulnerabilities, because they would be inside the firewall.
“Even if the software has been disabled,” he said in an email to IT World Canada, “companies should investigate the indicators of compromise that have been published by the CISA (the U.S. Cybersecurity and Infrastructure Security Agency) to establish if they are already a potential victim.”
“The MOVEit data theft is a sobering reminder of the criticality of immediate patching,” said Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant. “The moment vulnerabilities are identified, organizations must prioritize timely response, otherwise they’re at the mercy of adversaries. If you’re impacted by MOVEit and you can’t install the latest patch versions, at the very least, you need to disable all HTTP and HTTPs traffic to MOVEit Transfer environments. Affected companies should also check for potential indications of unauthorized access over at least the past 30 days.”
The Clop ransomware gang has focused on exploiting file transfer technologies for years, noted Tenable chief executive officer (CEO) Amit Yoran, and has had widespread success exploiting a known MOVEit flaw for weeks. “While we don’t know the full extent of the attack on U.S. government agencies,” he said, “it’s clear that even now many organizations still need to plug holes in their software applications to avoid becoming the next victim.
“Cybercriminals and nation states alike feast on known vulnerabilities and sloppy hygiene practices that leave organizations unnecessarily at risk. Unrelenting focus on identifying issues, prioritizing them and remediating them makes a world of difference.”
Dror Liwer, co-founder of Coro, said, “when moving sensitive information, even using a so-called secure platform, a zero trust approach should be used. Any sensitive data either in movement or at rest must be encrypted. The benefit far outweighs the overhead.”