back to article Deployed publicly accessible MOVEit Transfer? Oh no. Mass exploitation underway

Security researchers and the US government have sounded the alarm on a flaw in Progress Software's MOVEit Transfer that criminals have been "mass exploiting" for at least a month to break into IT environments and steal data. Progress disclosed some info about the SQL-injection vulnerability in its multi-tool file-transfer …

  1. An_Old_Dog Silver badge

    SFTP Securely Shares Files ...

    ... without needing a whole monster product using SQL databases and such. Let's reduce the attack surface, natch?

    1. Plest Silver badge

      Re: SFTP Securely Shares Files ...

      Plus if you get a bad app/library or one that gets deprecated, you can usually swap something new in without too much pain 'cos SFTP is "primitive" protocol that tons of utils, langs and libraries can support.

  2. ske1fr

    There were two ways to headline this

    The first using the Baha Men, the second would have referred to Police Academy.

  3. Archivist

    Stock photo

    Looks like a TV station.

  4. Pascal Monett Silver badge

    "a way for people to share files supposedly securely between each other"

    So, what does Dropbox have to say about this matter ?

    Is their marketing asleep ?

    1. Anonymous Coward
      Anonymous Coward

      Re: "a way for people to share files supposedly securely between each other"

      They'd probably not say anything as they were hacked in November of 2022. Your memory is really short. If it was longer, you'd remember that they were also impacted by the exposure of 68M passwords in 2016.

    2. Claptrap314 Silver badge

      Re: "a way for people to share files supposedly securely between each other"

      1) "Glad it's not us (this time)."

      2) No, but you're not on their mail list.

  5. Anonymous Coward
    Anonymous Coward

    SFTP requires a client, MoveIt Transfer doesn't, SFTP also doesn't provide an audit trail and a lot of other features that are needed and useful so that non technies can administer it. You could add them in and, oh, you now have MoveIt Transfer. It also works on ports 80 and 443, sadly those are the ports that were exploited.

    It's a lot more than a file transfer program. I like it and until now it's been good. We'll patch and see how it goes.

    1. Anonymous Coward
      Anonymous Coward

      "Dance with the devil, you must pay the piper."

      Yep I'm sure MOVEit is great but look where that convienience has got you now.

      SFTP is just a protocol, you can dress is up in any costume you want. I've coded an SFTP executions using industry grade libraries for the last 10 years. I always put full logging, dump out all the metadata into JSON and I even add a web interfaces for anyone to inspect the transfer logs. You can run SFTP over any port you like, it doens't have to be port 22, move it to a port of your choice, same with SSH, that doesn't have to be port 22 and to be honest you're best off moving it as it's the first port the scum will attack after they do you on 80 and 443. Where I am we use SFTP to move about half a million files a week between dozens of hosts, it's a very robust protocol.

  6. daflibble

    Oh dear and now the BBC announce they've fallen victim to this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like