Alert essentials:
An improper authentication vulnerability can allow attackers to authenticate to MOVEit as any valid user.
Update vulnerable MOVEit versions immediately.
Detailed threat description:
Threat actors are actively exploiting two recently patched vulnerabilities in Progress MOVEit. A critical bypass vulnerability in the SFTP feature of MOVEit Gateway and an authentication bypass in the MOVEit Transfer default configuration allows unauthenticated access and data exfiltration.
Using a responder, an attacker with a valid username can pass the path to a remote SMB server and capture the NTLM hash for the moveitsvc. With knowledge of a valid username, a skilled attacker that locates an exposed SFTP service can authenticate and upload or download sensitive documents.
Progress has addressed these vulnerabilities in their latest version releases. Update vulnerable instances immediately to avoid compromise.
Impacts on healthcare organizations:
File transfer software is vital in sending large files across the internet. However, this technology decreases security and poses serious risks to the environment if not patched routinely.
A hacker with access to a flaw in file transfer software may be able to export Personally Identifiable Information (PII), place malware on the network, or take control of devices. If network control is achieved, lifesaving technology may become unavailable indefinitely.
Affected products / versions:
MOVEit Transfer:
- from 2023.0.0 before 2023.0.11
- from 2023.1.0 before 2023.1.6
- from 2024.0.0 before 2024.0.2
- MOVEit Gateway version 2024.0.0
*Customers using the MOVEit Cloud environment were patched and are no longer vulnerable to this exploit
CVEs
- CVE-2024-5805
- CVE-2024-5806
Recommendations
Engineering recommendations:
- Identify the MOVEit Transfer application’s presence in your network
- Multiple departments may have utilities that use MOVEit, and those may vary by version
- Upgrade to a patched release using the full installer
- Require administrator credentials to install software
Leadership / program recommendations:
- The probability of cyber threat actors targeting the healthcare industry remains high
- Prioritize security by maintaining awareness of the threat landscape, assessing the situation, and providing staff with tools and resources necessary to prevent a cyberattack remains the best way forward for healthcare organizations
- Consider your organization’s practices around asset management; as stated above, there may be third parties or disparities between departments for MOVEit installations
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Progress Security Bulletin and Patches: MOVEit Transfer Critical Security Alert Bulletin – June 2024 – (CVE-2024-5806) – Progress Community
- GitHub: https://github.com/advisories/GHSA-x26p-7jm2-gmg9
- Rapid7: Authentication Bypasses in MOVEit Transfer and MOVEit Gateway | Rapid7 Blog
- Tenable: https://www.tenable.com/blog/cve-2024-5806-progress-moveit-transfer-authentication-bypass-vulnerability
- Watchtower Analysis: Auth. Bypass In (Un)Limited Scenarios – Progress MOVEit Transfer (CVE-2024-5806) (watchtowr.com)
