Security experts are raising the alarm after hackers were detected using a recently identified vulnerability in a well-known file transfer tool that is used by thousands of organisations to start a new wave of massive data exfiltration assaults.
The flaw affects Progress Software's MOVEit Transfer managed file transfer (MFT) software, which enables businesses to transmit huge files and datasets over the internet. Ipswitch is a subsidiary of Progress Software.
Last week on Wednesday, Progress acknowledged that it had found a vulnerability in MOVEit Transfer that "could lead to escalated privileges and potential unauthorised access to the environment," and it advised customers to turn off internet traffic to their MOVEit Transfer environments.
All consumers are being urged to promptly apply patches that are now accessible by Progress.
The U.S. cybersecurity agency CISA is also advising U.S. organisations to implement the required patches, follow Progress' mitigating recommendations, and look for any malicious behaviour.
The popularity of popular enterprise systems has made corporate file-transfer technologies an increasingly appealing target for hackers who want to steal data from numerous victims.
The impacted file transfer service is used by "thousands of organisations around the world," according to the company's website, but Jocelyn VerVelde, a representative for Progress through an outside public relations firm, declined to specify how many organisations use it.
More than 2,500 MOVEit Transfer servers are visible on the internet, according to Shodan, a search engine for publicly exposed devices and databases. Most of these servers are based in the United States, but there are also many more in the United Kingdom, Germany, the Netherlands, and Canada.
Security researcher Kevin Beaumont claims that the vulnerability also affects users of the MOVEit Transfer cloud platform. According to Beaumont, some "big banks" are also thought to be MOVEIt customers and at least one disclosed instance is linked to the U.S. Department of Homeland Security.
Several security firms claim to have already seen indications of exploitation.
According to Mandiant, "several intrusions" involving the exploitation of the MOVEit vulnerability are under investigation. Charles Carmakal, the chief technical officer of Mandiant, acknowledged that Mandiant had "seen evidence of data exfiltration at multiple victims."
According to a blog post by cybersecurity firm Huntress, one of its clients has observed "a full attack chain and all the matching indicators of compromise."
Meanwhile, the security research company Rapid7 said that it has seen indications of data theft and misuse from "at least four separate incidents." According to Rapid7's senior manager of security research, Caitlin Condon, there is evidence that suggests attackers may have started automated exploitation.
While the exact start date of exploitation is unknown, threat intelligence firm GreyNoise claims to have seen scanning activity as early as March 3. The company advises customers to check their systems for any signs of possible unauthorised access that may have happened during the last 90 days.
The perpetrator of the widespread MOVEit server exploitation is still unknown.
The attacker's actions were "opportunistic rather than targeted," according to Rapid7's Condon, who also speculated that this "could be the work of a single threat actor throwing one exploit indiscriminately at exposed targets."