THE THREAT
eSentire is aware of claims that the MOVEit Transfer authentication bypass vulnerability CVE-2024-5806 is now under active exploitation. CVE-2024-5806 (CVSS: 9.1) was publicly disclosed on June 25th, along with security patches. Exploitation of the vulnerability would allow a remote and unauthenticated threat actor to access, modify, and steal sensitive data stored on MOVEit Transfer servers.
Proof-of-Concept (PoC) exploit code, along with technical details on the vulnerability, were disclosed on June 25th. On the same day, the non-profit organization Shadowserver reported observing exploitation attempts. Post-exploitation activity and attacker objectives have not been released at the time of writing. The eSentire Threat Intelligence team assesses that immediate widespread exploitation of CVE-2024-5806 is probable due to the impact of exploitation, exploit code availability, prevalence of vulnerable devices, and the history of threat actors exploiting MOVEit vulnerabilities. As such, the immediate patching of impacted devices is strongly recommended.
What we’re doing about it
- eSentire’s Tactical Threat Response (TTR) team has developed new detections to identify exploitation attempts via eSentire MDR for Network
- eSentire MDR for Log and Endpoint detections are under evaluation
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2024-5806
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
- After performing a business impact review, apply the relevant security patches
- Block inbound Remote Desktop Protocol (RDP) access to MOVEit Transfer servers
- Limit outbound access to only trusted devices
- Review MOVEit Transfer servers for unusual access
- Exploit attempts can be identified within SFTP server logs, outlined in the watchTowr report
Additional information
CVE-2024-5806 impacts MOVEit Transfer versions “from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.” Upgrading to the latest version of MOVEit Transfer mitigates the vulnerability.
While the release of PoC exploit code has simplified the exploitation process, it is still not trivial. There are three requirements for a successful attack: the attacker must know a valid username, the vulnerable device can be authenticated to remotely, and the SFTP server is Internet-facing. As threat actors require valid usernames, it is likely that attacks will involve username spraying to identify valid accounts.
A second critical authentication bypass vulnerability was also disclosed on June 25th. CVE-2024-5805 (CVSS: 9.1): An improper authentication vulnerability in Progress MOVEit Gateway (SFTP module) allows authentication bypass. The vulnerability impacts MOVEit Gateway: 2024.0.0. There is currently no indication that CVE-2024-5805 has been exploited in the wild.
MOVEit vulnerabilities have been heavily targeted by threat actors in the past. In June 2023, eSentire reported on a CLOP (Lace Tempest) extortion group campaign, which involved exploitation of the MOVEit vulnerability CVE-2023-34362 (CVSS: 9.8). The vulnerability was abused to access vulnerable servers and steal victim data. This data was then used as leverage in extortion schemes. As CLOP proved the potential value of this form of attack against MOVEit devices, other threat actors may attempt to imitate the successful campaign by exploiting CVE-2024-5805 or CVE-2024-5806.
References:
[1] https://community.progress.com/s/article/MOVEit-Transfer-Product-Security-Alert-Bulletin-June-2024-CVE-2024-5806
[2] https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/
[3] https://x.com/Shadowserver/status/1805676078620401831
[4] https://community.progress.com/s/article/MOVEit-Gateway-Critical-Security-Alert-Bulletin-June-2024-CVE-2024-5805
[5] https://www.esentire.com/security-advisories/update-on-moveit-transfer-vulnerabilities
[6] https://nvd.nist.gov/vuln/detail/CVE-2023-34362
