MOVEit maker warns of new critical bug affecting thousands

Progress Software, the company behind the MOVEit Transfer tool which hackers exploited to breach thousands of businesses, said its WS_FTP Server software needs to be patched for a maximum severity bug.

The company recently disclosed vulnerabilities affecting the WS_FTP Server secure file transfer software’s interface and Ad hoc transfer module.

According to Progress’ advisory, attackers could “leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.”

The Cybernews research team said that the bug was assigned the highest possible severity code, indicating that it is extremely dangerous.

“These vulnerabilities are often easily exploited by bad actors. Also, it can cause significant harm or damage. Since the bug affects all versions of the WS_FTP Server Ad hoc module, it could grant a wider range of attacks because of the different versions affected,” the team said.

One of the ways attackers could exploit the bug is by carrying out a remote code execution (RCE) attack, with threat actors commanding the operation of another person’s or business’s device.

Progress claims that “thousands of IT teams depend on WS_FTP.” According to IoT search engines inspected by Cybernews, over 6,000 servers are currently running the WS_FTP Server.

Progress issued a fix, advised users to “update immediately,” and offered remedial steps for users who can’t quickly update the affected software. The company told Cybernews that after it disclosed the vulnerabilities there were no indications that it has been exploited.

“We have responsibly disclosed these vulnerabilities in conjunction with the researchers at Assetnote. Currently, we have not seen any indication that these vulnerabilities have been exploited. We have issued a fix and have encouraged our customers to perform an upgrade to the patched version of our software. Security is of the utmost importance to us and we leverage development practices to minimize product vulnerabilities whenever possible,” the company's spokesperson said.

MOVEit Transfer attacks

Earlier this year, ransomware gang Cl0p exploited a now-patched zero-day bug in Progress Software’s MOVEit Transfer software which allowed attackers to access and download the data stored there.

So far, over 2,100 organizations and over 62 million people are confirmed to have been impacted by the MOVEit Transfer attacks.

The Russia-linked gang Cl0p goes by a few different names. People in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The gang is quite old having been first observed back in 2019.

Numerous well-known organizations have had their clients exposed in the MOVEit attacks. For example, TD Ameritrade, a US stockbroker, reported that over 60,000 of its clients were exposed, with Cl0p taking the financial account data of some.

Other named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, Johns Hopkins University and Health System, Warner Bros Discovery, AMC Theatres, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.