Attacks surge after researchers share POC, software maker furious

MOVEit Transfer-maker Progress Software said that third parties provided attackers with tools to exploit a level 10 critical bug in its WS_FTP Server software.

When it rains, it pours in the headquarters of the US-based software maker Progress Software. The company’s file transfer tool, MOVEit Transfer, has been in the spotlight for months after attackers exploited a zero-day bug to breach thousands of companies.

Meanwhile, in late September, the company disclosed vulnerabilities affecting the WS_FTP Server’s secure file transfer software. One of the now-patched flaws tracked as CVE-2023-40044, was issued a highest severity score of 10, indicating that an exploit could cause a lot of harm to users.

The Cybernews research team believes that attackers could leverage the exploit to carry out remote code execution (RCE) attacks, deploying malicious code on target devices. The team said that thousands of servers were running the WS_FTP Server.

At the time of the disclosure, Progress Software said it had “not seen any indication that these vulnerabilities have been exploited.” However, that was soon to change, as security researchers raced to develop a working POC for the critical bug, with some even posting working POCs on social media as early as September 29th, only two days after the vulnerability disclosure.

“Unfortunately, by building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers.”

Progress Software spokesperson told Cybernews.

Analysts at the cybersecurity firm Huntress later noticed in-the-wild exploitation of the flaw, albeit in a small number of cases. Security researcher Kevin Beaumont said an organization targeted with ransomware claimed that attackers breached the company via WS_FTP.

Meanwhile, Progress Software was disheartened by analysts posting a POC days after the company disclosed the issue.

“We are disappointed in how quickly third parties released a proof of concept (POC), reverse-engineered from our vulnerability disclosure and patch, released on September 27th. This provided threat actors a roadmap on how to exploit the vulnerabilities while many of our customers were still in the process of applying the patch,” the company’s spokesperson told Cybernews.

The company insisted that by “building and releasing a POC rapidly after our patch was released, a third-party has given cyber criminals a tool to attempt attacks against our customers.”

“The security of our customers is our top priority and we continue to work with our customers and responsible third-party research experts to discover, properly disclose and remediate any issues. We hope that the community will discourage the irresponsible publication of POCs rapidly following the release of security patches from software vendors,” the company said.

MOVEit Transfer attacks

Earlier this year, a Russia-linked ransomware gang Cl0p exploited a now-patched zero-day bug in MOVEit Transfer software, allowing attackers to access and download the stored data.

Cl0p goes by a few different names. People in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The gang is quite old, having been first observed back in 2019.

Earlier this summer, Cybernews received evidence that one of the Cl0p ransomware strain developers was in the city of Kramatorsk in Eastern Ukraine, on the front line of the Russia-Ukraine war.

Recent reports into how the gang distributes stolen data indicate that cybercrooks employ virtual private server (VPS) hosting services, with servers physically located in Russia’s two largest cities: Moscow and Saint Petersburg.

Numerous well-known organizations have had their clients exposed in the MOVEit attacks. For example, TD Ameritrade, a US stockbroker, reported that over 60,000 of its clients were exposed, with Cl0p taking the financial account data of some.

Other named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, Johns Hopkins University and Health System, Warner Bros Discovery, AMC Theatres, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.

More from Cybernews:

San Francisco’s transport agency exposes drivers’ plate numbers and addresses

PlayStation maker victimized in MOVEit Transfer breach

Spotify gifts thousands of audiobooks to its premium subscribers

Struggling X seeks more ad revenue, partners with Google

Russia mistakenly doxxes its own secret bases and spies

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked