Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label File Transfer Tool. Show all posts
Vulnerabilities and Exploits
Cleo Server Data Leak File Transfer Tool Security Patch Vulnerabilities and Exploits

Active Exploitation of Cleo Communications' File Transfer Software Exposes Critical Vulnerabilities

 

Cleo Communications' file transfer software is under active attack, with security researchers from Huntress revealing that a recently issued patch fails to address the critical flaws being exploited. This ongoing vulnerability poses a significant threat to sectors relying on Cleo's software for logistics and supply chain operations.

The Vulnerabilities: Autorun Directory and CVE-2024-50623

Hackers are leveraging two key vulnerabilities in Cleo's software:

  • A feature that automatically executes files in the autorun directory.
  • An arbitrary file-write flaw identified as CVE-2024-50623.

On December 3, Huntress reported that Cleo's LexiCom, VLTransfer, and Harmony software solutions are affected by these issues. Despite the company issuing a patch on the same day, Huntress stated that it "does not mitigate the software flaw." This leaves users vulnerable until a new, effective patch is developed.

Cleo’s Response and Planned Mitigations

During a Zoom session with cybersecurity researchers, Cleo's team acknowledged the flaws and committed to designing a second patch. Earlier in the week, Cleo identified an unauthenticated malicious host vulnerability that could lead to remote code execution, although its CVE identifier is still pending.

In a statement, a Cleo spokesperson said the company had launched an investigation with the assistance of external cybersecurity experts. Cleo also informed customers about the issue and provided interim mitigation steps while working on a patch. The spokesperson emphasized that "the investigation is ongoing."

Recommendations for Cleo Users

Until an effective patch is released, Huntress has advised Cleo users to take immediate actions:

  • Erase items from the autorun directory to disrupt attack pathways.
  • Understand that this measure does not address the arbitrary file-write vulnerability, which remains exploitable.

Impacts on Businesses

The exploitation of Cleo's software has significant repercussions, particularly for industries dependent on large-scale logistics and supply chain operations. Researchers reported that:

  • At least 10 businesses have experienced breaches involving Cleo servers.
  • There was a "notable uptick in exploitation" on December 8 around 07:00 UTC.
  • Most incidents have targeted sectors such as consumer products, the food industry, and shipping.

A search on Shodan revealed 436 vulnerable servers, with the majority located in the United States. This underscores the scale of potential exposure and the urgent need for mitigation.

The Attack Chain: From Autorun to Persistent Access

Attackers exploit the autorun directory feature by inserting malicious files that execute automatically. These files allow them to:

  • Run PowerShell commands.
  • Establish persistent access using webshells retrieved from remote servers.

Examples of malicious autorun files include:

  • healthchecktemplate.txt
  • healthcheck.txt

Conclusion: Urgent Need for Robust Security Measures

The active exploitation of Cleo Communications' software highlights the evolving nature of cybersecurity threats and the critical importance of timely, effective patching. Businesses using Cleo's solutions must remain vigilant and implement recommended mitigations to minimize risk until a comprehensive fix is released.

This incident serves as a reminder for all organizations to prioritize cybersecurity, particularly in industries that handle sensitive data and depend on seamless file transfer operations.

Read more »
Vulnerabilities and Exploits
Data Breaches Data Exploit data security File Transfer Tool MOVEit Remote Workers Vulnerabilities and Exploits

Fresh MOVEit Vulnerability Under Active Exploitation: Urgent Updates Needed

 

A newly discovered vulnerability in MOVEit, a popular file transfer tool, is currently under active exploitation, posing serious threats to remote workforces. 

This exploitation highlights the urgent need for organizations to apply patches and updates to safeguard their systems. The vulnerability, identified by Progress, allows attackers to infiltrate MOVEit installations, potentially leading to data breaches and other cyber threats. MOVEit users are strongly advised to update their systems immediately to mitigate these risks. Failure to do so could result in significant data loss and compromised security. Remote workforces are particularly vulnerable due to the decentralized nature of their operations. The exploitation of this bug underscores the critical importance of maintaining robust cybersecurity practices and staying vigilant against emerging threats. 

Organizations should ensure that all systems are up-to-date and continuously monitored for any signs of compromise. In addition to applying patches, cybersecurity experts recommend implementing multi-layered security measures, including firewalls, intrusion detection systems, and regular security audits. Educating employees about the risks and signs of cyber threats is also essential in maintaining a secure remote working environment. The discovery of this MOVEit vulnerability serves as a reminder of the ever-evolving landscape of cybersecurity threats. 

As attackers become more sophisticated, organizations must prioritize proactive measures to protect their data and operations. Regularly updating software, conducting security assessments, and fostering a culture of cybersecurity awareness are key strategies in mitigating the risks associated with such vulnerabilities. 

Organizations must act swiftly to update their systems and implement comprehensive security measures to protect against potential cyberattacks. By staying informed and proactive, businesses can safeguard their remote workforces and ensure the security of their sensitive data.
Read more »
Vulnerabilities and Exploits
Data Safety File Transfer Tool Maas Hack User Security Vulnerabilities and Exploits

Millions Impacted by the MOVEit Mass Hacks, and the Toll is Rising

 

A security flaw in the MOVEit file transfer application has allowed hackers to steal the personal information of more than 15.5 million people, and the number of impacted companies keeps rising. 

A vulnerability in Progress Software's enterprise file transfer application MOVEit Transfer has been the focus of Clop ransomware assaults, which have so far claimed more than 140 victims. Only 10 of these victims have so far confirmed the number of those impacted, but there are already more than 15.5 million people infected, according to Brett Callow, a ransomware expert and security analyst at Emsisoft. 

This includes roughly 6 million residents of Louisiana, about 770,000 California Public Employees' Retirement System members, between 2.5 and 2.7 million Genworth Finance clients, roughly 1.5 million Wilton Reassurance clients, more than 170,000 Tennessee Consolidated Retirement System beneficiaries, and more than half a million Talcott Resolution clients.

Callow claims that among the large-scale attacks was the National Student Clearinghouse, a nonprofit educational organisation in the United States, which could have experienced a "potentially significant" data loss. The company has a working relationship with 22,000 high schools, 3,600 colleges and institutions, and started contacting schools about the data breach. 

He highlighted that at least seven of the known MOVEit victims are colleges in the United States, and 16 are public sector organisations in the United States. 

According to Bloomberg, this includes the U.S. Department of Health and Human Services (HHS), which announced Wednesday that officials notified Congress of an event involving the exposure of more than 100,000 people. 

The US Cybersecurity and Infrastructure Security Agency earlier stated that "several" US government agencies had been compromised as a result of the MOVEit transfer issue, and a spokeswoman for the Department of Energy confirmed that this included two DOE entities. 

Clop, the group that claimed responsibility for the massive attacks, has added tens of new victims to their leak site this week alone, including banks, consulting and law firms, and energy conglomerates. 

A spokesperson for Siemens Energy, Claudia Nehring, acknowledged to a local media site that the company is one of the targets of the MOVEit assaults. 

"According to our current analysis, no critical data has been compromised, and our operations have not been impacted." "When we learned about the incident, we acted immediately," Nehring stated.

The exact number of organisations affected, and thus violated individuals, is unknown. Clop claims to have hacked "hundreds" of organisations in a post on its leak site, implying that more victims will be revealed in the following days and weeks. 

In light of the latest wave of mass attacks, the United States State Department earlier this month offered a $10 million reward for information on the Clop ransomware group, a Russia-linked gang that was also responsible for previous mass-attacks that exploited flaws in Fortra's GoAnywhere file transfer tool and Accellion's file transfer application.

The vulnerability was fixed by MOVEit software was patched by May 31.
Read more »
zero Day vulnerability
File Transfer Tool Security Advisory SQL Unpatched Flaws Vulnerabilities and Exploits zero Day vulnerability

Progress Software Advises MOVEit Customers to Patch Third Severe Vulnerability

 

Customers of MOVEit are being urged by Progress Software to update their software in less than a month to address a third severe vulnerability. 

According to the most recent vulnerability, identified as CVE-2023-35708, an unauthenticated attacker may be able acquire escalated privileges and gain entry to the MOVEit Transfer database through a SQL injection bug.

In a warning, Progress states that, “an attacker could submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.”

Versions of MOVEit Transfer prior to 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3) are affected by the vulnerability.

On June 15, proof-of-concept (PoC) code aimed at exploiting the flaw was made available. Progress quickly responded, noting that the flaw was made public "in a way that did not follow normal industry standards." 

After a zero-day vulnerability was discovered on May 31 and a second severe bug was patched a week later, Progress has now fixed three critical SQL injection flaws in its MOVEit products in around three weeks. CVE-2023-35708 is the most recent of these. 

Security experts discovered evidence indicating that exploitation may have begun two years prior to the initial flaw, CVE-2023-34362, which only began to be widely exploited in late May.

Attacks on the MOVEit zero-day have affected more than 100 organisations. The Cl0p ransomware gang is responsible for the most recent campaign, and it has begun naming some of the victims in public.

The British Broadcasting Corporation, British Airways, Aer Lingus, the Nova Scotia government, the U.S. Department of Energy, the Louisiana Office of Motor Vehicles, the Oregon Department of Transportation, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE) are just a few of the organisations that have been identified as victims to date. 

Austria, France, Germany, Luxembourg, the Netherlands, Switzerland, the United Kingdom, and the United States all have victims. Malwarebytes adds that the majority of the victims are in the US. 

On June 9, CVE-2023-35036, the second vulnerability, was made public; however, it does not seem to have been used in the wild. Even though Progress claims to be unaware of any exploits for CVE-2023-35708, it advises users to install the most recent updates as soon as feasible.

“All MOVEit Transfer customers must take action and apply the patch to address the June 15th CVE-2023-35708 vulnerability discovered in MOVEit Transfer,” the company added. 

Customers should stop HTTP and HTTPS traffic, limiting access to localhost only, apply the updates that are available (the June 15th patch also fixes the prior vulnerabilities), and then re-enable HTTP and HTTPS traffic to prevent unauthorised access to the MOVEit Transfer environment. 

To fix the issues, Progress has published both DLL drop-in fixes and entire MOVEit Transfer installers. The company's advisory provides more details on how to apply the updates.
Read more »
Supply Chain Attack
Cyber Attacks File Transfer Tool Global Attacks Global Firms Malicious Payload Supply Chain Attack

BBC, British Airways Among High Profile Victims in Global Supply-Chain Hack

 

A rising number of organisations, including the BBC, British Airways, Boots, and Aer Lingus, are being impacted by a widespread attack.

Staff members have received warnings that personal information, including social security numbers and, in some circumstances, bank information, may have been stolen.

The hackers used a well-known piece of software as a gateway to access numerous businesses simultaneously. There are no reports of money being taken or requests for ransom.

One of the impacted businesses in the UK is the payroll services provider Zellis, which reported that data from eight of its customer organisations had been stolen. 

Organisations are notifying employees on their own, though it wouldn't give names. The BBC informed the staff via email that the stolen data contained staff ID numbers, dates of birth, residential addresses, and national insurance numbers. 

British Airways employees have been told that some of their bank information may have been stolen. The National Cyber Security Centre of the UK stated that it was keeping an eye on the situation and recommended businesses using the affected software to apply security updates.

The attack was initially made public last week when US business Progress Software said that hackers had discovered a way to access its MOVEit Transfer application. The majority of MOVEit's users are in the US, although the programme is well-known throughout the world for safely moving sensitive files.

When the exploit was found, according to Progress Software, it immediately informed its clients and made a security update available for download. 

A company spokeswoman stated that the company is collaborating with the police to "combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products".

Businesses using MOVEit were advised to download a security patch on Thursday by the US Cybersecurity and Infrastructure Security Agency to prevent further breaches. 

However, security researcher Kevin Beaumont claimed that because many impacted companies had not yet installed the remedy, internet scans revealed that thousands of company datasets may still be exposed.

Experts predicted that instead of extorting money from individuals, cybercriminals would try to do so from businesses. Although no public ransom demands have been made as of yet, it is anticipated that cybercriminals will start emailing impacted firms to demand payment. They'll probably threaten to release the info online for other hackers to browse. 

Victim organisations caution personnel to be alert for any dubious communications that could result in additional cyberattacks. Microsoft stated that it felt the perpetrators were connected to the infamous Cl0p ransomware organisation, which is thought to have its base of operations in Russia, despite the fact that no official attribution had been established.

The US tech giant claimed in a blog post that it was attributing assaults to Lace Tempest, a ransomware operator and owner of the Cl0p extortion website where victim data is exposed. According to the business, the hackers who were behind the attack have previously used similar methods to extort victims and steal data. 

"This latest round of attacks is another reminder of the importance of supply chain security," stated John Shier, from cyber security company Sophos. "While Cl0p has been linked to this active exploitation it is probable that other threat groups are prepared to use this vulnerability as well."
Read more »
Security flaw
Cyber Attacks Data Leak File Transfer Tool Mass Hack Online Hack Security flaw

Threat Actors Launch a New Wave of Mass-Hacks Against Business File Transfer Tool

 

Security experts are raising the alarm after hackers were detected using a recently identified vulnerability in a well-known file transfer tool that is used by thousands of organisations to start a new wave of massive data exfiltration assaults. 

The flaw affects Progress Software's MOVEit Transfer managed file transfer (MFT) software, which enables businesses to transmit huge files and datasets over the internet. Ipswitch is a subsidiary of Progress Software.

Last week on Wednesday, Progress acknowledged that it had found a vulnerability in MOVEit Transfer that "could lead to escalated privileges and potential unauthorised access to the environment," and it advised customers to turn off internet traffic to their MOVEit Transfer environments. 

All consumers are being urged to promptly apply patches that are now accessible by Progress. 

The U.S. cybersecurity agency CISA is also advising U.S. organisations to implement the required patches, follow Progress' mitigating recommendations, and look for any malicious behaviour. 

The popularity of popular enterprise systems has made corporate file-transfer technologies an increasingly appealing target for hackers who want to steal data from numerous victims. 

The impacted file transfer service is used by "thousands of organisations around the world," according to the company's website, but Jocelyn VerVelde, a representative for Progress through an outside public relations firm, declined to specify how many organisations use it. More than 2,500 MOVEit Transfer servers are visible on the internet, according to Shodan, a search engine for publicly exposed devices and databases. Most of these servers are based in the United States, but there are also many more in the United Kingdom, Germany, the Netherlands, and Canada. 

Security researcher Kevin Beaumont claims that the vulnerability also affects users of the MOVEit Transfer cloud platform. According to Beaumont, some "big banks" are also thought to be MOVEIt customers and at least one disclosed instance is linked to the U.S. Department of Homeland Security. Several security firms claim to have already seen indications of exploitation.

According to Mandiant, "several intrusions" involving the exploitation of the MOVEit vulnerability are under investigation. Charles Carmakal, the chief technical officer of Mandiant, acknowledged that Mandiant had "seen evidence of data exfiltration at multiple victims." 

According to a blog post by cybersecurity firm Huntress, one of its clients has observed "a full attack chain and all the matching indicators of compromise." 

Meanwhile, the security research company Rapid7 said that it has seen indications of data theft and misuse from "at least four separate incidents." According to Rapid7's senior manager of security research, Caitlin Condon, there is evidence that suggests attackers may have started automated exploitation. 

While the exact start date of exploitation is unknown, threat intelligence firm GreyNoise claims to have seen scanning activity as early as March 3. The company advises customers to check their systems for any signs of possible unauthorised access that may have happened during the last 90 days. 

The perpetrator of the widespread MOVEit server exploitation is still unknown. 

The attacker's actions were "opportunistic rather than targeted," according to Rapid7's Condon, who also speculated that this "could be the work of a single threat actor throwing one exploit indiscriminately at exposed targets."
Read more »
Subscribe to: Posts (Atom)