A critical vulnerability in file transfer system MOVEit Transfer is being actively exploited by hackers, who are using the bug to steal data from the software company’s customers. MOVEit is deployed widely across the public sector in the UK and the US, and users are being urged to take action to safeguard their networks.
The vulnerability is under active exploitation according to research from security company Rapid7. Progress Software, which makes MOVEit Transfer, has released a series of patches to combat the problem.
Vulnerability in MOVEit Transfer exploited by hackers
MOVEit Transfer provides automated file transfers of sensitive information, and is widely used in the private sector and by government agencies.
Progress Software describes the exploit as an SQL injection flaw that allows for “escalated privileges and potential unauthorised access” on targeted systems.
The damage could be widespread. According to Rapid7, there had been 2,500 instances of MOVEit Transfer exposed online by the end of May. The majority of these seem to affect clients in the US, the security company said.
Researchers at another cybersecurity vendor, GreyNoise, observed scanning activity for the login page of MOVEit as early as 3 March. “While we have not observed activity directly related to exploitation, all of the five IPs we have observed attempting to discover the location of MOVEit installations were marked as ‘malicious’ by GreyNoise for prior activities,” relating to cybercrime, the company explains.
Tech Monitor has contacted Progress Software for comment, but speaking to Reuters, the company’s CIO Ian Pitt said it noted the vulnerability on 28 May and moved quickly to make patches available. Pitt said the problem also impacts the company’s cloud service, but that he is not aware of any exploits taking advantage of this.
How MOVEit Transfer customers should respond
Based on this scanning activity, researchers at GreyNoise recommend that users of this transfer service should extend the time window for their review of potentially malicious activity to at least 90 days.
Progress Software is urging customers using the file transfer service to “immediately” disable all HTTP and HTTPS traffic to their transfer environments and to moderate firewalls to deny such traffic to MOVEit Transfer ports.
Security researcher Kevin Beaumont believes the impact of the vulnerability could be significant, writing on Mastodon that the company has a “huge US footprint, including the US government”. Beaumont warned: “Everyone online is still vulnerable, this includes some big banks.”
The UK’s NHS has released an advisory through its NHS Digital platform posting mitigation advice. US cybersecurity agency CISA has also released a warning, urging customers of MOVEit Transfer to take immediate action.